diff --git a/file/audit/pfsense/known-default-account.yaml b/file/audit/pfsense/known-default-account.yaml
new file mode 100644
index 0000000000..cdec95d721
--- /dev/null
+++ b/file/audit/pfsense/known-default-account.yaml
@@ -0,0 +1,27 @@
+id: known-default-account
+
+info:
+ name: Known Default Account - Detected
+ author: pussycat0x
+ severity: info
+ description: |
+ In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System.
+ The known default accounts are often (without limiting to) the following: 'admin'.
+ reference: |
+ https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
+ remediation: |
+ Deletes the known default accounts configured.
+ tags: firewall,config,audit,pfsense
+
+file:
+ - extensions:
+ - xml
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "admin"
+ - ""
+ - "user-shell-access"
+ condition: and