User Account Management
Alert ID: user_management
MITRE ATT&CK: T1136 – Create Account · T1098 – Account Manipulation
Severity / Criticality
Section titled “Severity / Criticality”| Level | Condition |
|---|---|
| Info | Standard user creation or deletion |
| High | Privilege escalation/demotion, or creation of a new administrator |
Why is it considered malicious?
Section titled “Why is it considered malicious?”- Unauthorized administrator creation: possible backdoor for persistent access.
- Privilege escalation: enables lateral movement or full site control.
- Mass user deletion: possible cover-up or sabotage attempt.
- Unusual role changes: clear sign of possible compromise.
!!! warning "" Attackers often create apparently “legitimate” users to maintain hidden access to the system.
When does the alert trigger?
Section titled “When does the alert trigger?”- User creation: any new user registration or creation (Info).
- Administrator creation: new user with the
administratorrole (High). - User deletion: any deleted account.
- Role change: privilege escalation or demotion.
- Role-weight analysis:
| Role | Weight |
|---|---|
| Administrator | 10 |
| Editor | 7 |
| Author | 5 |
| Contributor | 3 |
| Subscriber | 1 |
Technical Indicators (IOCs)
Section titled “Technical Indicators (IOCs)”| Type | Pattern | Description |
|---|---|---|
log_pattern | SELECT * FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 1 DAY) | Recently created-user detection |
log_pattern | wp_capabilities LIKE '%administrator%' | Search for administrator accounts |
behavior | admin2, wpupdate, wpengine, backup, support | Suspicious usernames |
behavior | @temp-mail, @guerrillamail | Temporary or disposable email addresses |
Common false positives
Section titled “Common false positives”- Legitimate creation by authorized administrators.
- Membership or e-commerce plugins creating users automatically.
- Bulk imports from external tools.
!!! tip "" Always verify time, source IP, and business context before dismissing an alert.
Investigation steps
Section titled “Investigation steps”-
Verify legitimacy: check whether the creator was authorized and whether the event occurred during normal hours.
-
Analyze the new user:
Terminal window wp user get [user_id] --fields=ID,user_login,user_email,roles -
Search for related activity: more user creation, plugin installation, or theme changes.
-
Review all existing administrators:
Terminal window wp user list --role=administrator
Recommended mitigations
Section titled “Recommended mitigations”=== “Immediate”
!!! danger "" - Suspend the suspicious user immediately. - Audit all accounts with administrative privileges. - Review the new user's activity logs. - Confirm with the team whether the action was authorized.=== “Preventive”
!!! tip "" - Implement **dual approval** for administrator creation. - Maintain a detailed **audit trail**. - Enable **email notifications** for role changes. - Apply the **principle of least privilege**. - Review users and permissions regularly.References
Section titled “References”- MITRE ATT&CK T1136 – Create Account
- MITRE ATT&CK T1098 – Account Manipulation
- CIS Controls – Account Management