Suspicious Hidden User Created
#
This Playbook is part of the Cortex Response And Remediation Pack.Supported versions
Supported Cortex XSOAR versions: 8.8.0 and later.
This playbook addresses the following alerts:
Suspicious Hidden User Created
Playbook Stages:
Triage:
Retrieve event information about the created user
Investigation:
Check whether the user account is local or domain-based.
For domain users: Retrieve AD attributes, including password expiration.
For local users: Run a Powershell command to get "Password Expires" attribute of the local user.
Retrieve the risk level for the affected host.
Search for related Script Engine Activity alerts in the incident.
Check for suspicious command lines executed on the host.
Search for privileged group membership changes.
Check for authentication logs of the hidden user.
Monitor for suspicious share access or service installations.
Search for RDP sessions related to the hidden user.
Containment:
For risky hosts with suspicious users that have non-expiring passwords, perform soft remediation by terminating causality processes.
For alerts showing clear malicious behavior patterns, perform hard remediation.
For alerts confirmed as true positives, ask the analyst to disable the user.
Upon receiving the analyst's approval, disable the suspicious user account (domain or local).
If a related alert about malicious activity exists, kill the Causality Group Owner (CGO) process that created the suspicious user.
Requirements: For response actions, you need the following integrations:
Cortex Core - Investigation and Response
Active Directory Query v2 (for domain user actions)
XQL Query Engine (for enhanced investigation)
SlackV3 or Microsoft Teams (optional, for user verification).
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- CommandLineAnalysis
- IsIntegrationAvailable
- SearchAlertsV2
- Set
- SetAndHandleEmpty
- disable-user
- get-endpoint-data
- get-user-data
#
Commands- closeInvestigation
- core-execute-command
- core-get-cloud-original-alerts
- core-get-process-analytics-prevalence
- core-terminate-causality
- xdr-xql-generic-query
#
Playbook InputsThere are no inputs for this playbook.
#
Playbook OutputsThere are no outputs for this playbook.