detection.wiki

ATT&CK coverage › Technique

Create Account: Domain Account T1136.002

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.

Events covered

16 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
Security-Auditing4720A user account was created.
Security-Auditing4727A security-enabled global group was created.
Security-Auditing4730A security-enabled global group was deleted.
Security-Auditing4731A security-enabled local group was created.
Security-Auditing4737A security-enabled global group was changed.
Security-Auditing4744A security-disabled local group was created.
Security-Auditing4749A security-disabled global group was created.
Security-Auditing4754A security-enabled universal group was created.
Security-Auditing4756A member was added to a security-enabled universal group.
Security-Auditing4759A security-disabled universal group was created.
Security-Auditing4783A basic application group was created.
Security-Auditing4790An LDAP query group was created.
Security-Auditing5137A directory service object was created.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (6 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID3in 2, eq 14727, 4730, 4737, 4104, 4790
ScriptBlockText2match 1, eq 1System.DirectoryServices.AccountManagement, "*New-ADGroup*", "*ESX Admins*", "*New-LocalGroup*"
user2eq 1, in 1"ESX Admins", "*ESX Admins*", "ESXi Admins", "Hyper-V Administrators", "Schema Admins"
ObjectClass1eq 1msDS-DelegatedManagedServiceAccount
TargetFilename1ends_with 1, starts_with 1C:\Windows\PSEXEC-, .key
SamAccountName1match 1ANONYMOUS, LOGON

Top indicator values (42 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDin472723
ObjectClasseqmsDS-DelegatedManagedServiceAccount1
ScriptBlockTextmatchSystem.DirectoryServices.AccountManagement1
TargetFilenameends_with.key12
TargetFilenamestarts_withC:\Windows\PSEXEC-1
SamAccountNamematchANONYMOUS1
SamAccountNamematchLOGON1
usereq"*ESX Admins*"1
usereq"ESX Admins"1
EventIDin47371
EventIDin47301
ScriptBlockTexteq"*New-LocalGroup*"1
EventIDeq41041108
ScriptBlockTexteq"*ESX Admins*"1
ScriptBlockTexteq"*New-ADGroup*"1
userin"Hyper-V Administrators"1
userin"Server Operators"1
EventIDin47901
userin"Print Operators"1
userin"ESX Admins"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 3 rules

Elastic 1 rule

Splunk 3 rules

Kusto Query Language 1 rule