RMM alerts for a new Windows account being created?

I’m reading this fascinating rundown of an intrusion by Cisco (Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Cisco Talos shares insights related to recent cyber attack on Cisco). One thing the bad actor did was to add additional user accounts.

Does anyone currently use Syncro to pop an RMM alert (and/or create a ticket) when a new user account is created?

I believe there are scripts that monitor for admin accounts created. That should be a good starting point where you can modify it to Notify on all local accounts created.

If you have security auditing turned on group policy you can monitor these and many other changes with event IDs Audit User Account Management (Windows 10) - Windows security | Microsoft Docs

1 Like