diff --git a/file/audit/pfsense/known-default-account.yaml b/file/audit/pfsense/known-default-account.yaml
new file mode 100644
index 0000000000..cdec95d721
--- /dev/null
+++ b/file/audit/pfsense/known-default-account.yaml
@@ -0,0 +1,27 @@
+id: known-default-account
+
+info:
+  name: Known Default Account - Detected
+  author: pussycat0x
+  severity: info
+  description: |
+    In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System.
+    The known default accounts are often (without limiting to) the following: 'admin'.
+  reference: |
+    https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
+  remediation: |
+    Deletes the known default accounts configured.
+  tags: firewall,config,audit,pfsense
+
+file:
+  - extensions:
+      - xml
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<name>admin</name>"
+          - "<descr><![CDATA[System Administrator]]></descr>"
+          - "<priv>user-shell-access</priv>"
+        condition: and