title: Powershell LocalAccount Manipulation
id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
status: experimental
description: |
  Adversaries may manipulate accounts to maintain access to victim systems.
  Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
author: frack113
date: 2021/12/28
logsource:
    product: windows
    category: ps_script
detection:
    selection:
        ScriptBlockText|contains:
            - 'Disable-LocalUser'
            - 'Enable-LocalUser'
            - 'Get-LocalUser'
            - 'Set-LocalUser'
            - 'New-LocalUser'
            - 'Rename-LocalUser'
            - 'Remove-LocalUser'
    condition: selection
falsepositives:
  - Legitimate administrative script
level: medium
tags:
  - attack.persistence
  - attack.t1098