Create Account T1136

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Events covered

27 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4726A user account was deleted.
Security-AuditingEvent ID 4727A security-enabled global group was created.
Security-AuditingEvent ID 4730A security-enabled global group was deleted.
Security-AuditingEvent ID 4731A security-enabled local group was created.
Security-AuditingEvent ID 4732A member was added to a security-enabled local group.
Security-AuditingEvent ID 4737A security-enabled global group was changed.
Security-AuditingEvent ID 4741A computer account was created.
Security-AuditingEvent ID 4742A computer account was changed.
Security-AuditingEvent ID 4744A security-disabled local group was created.
Security-AuditingEvent ID 4749A security-disabled global group was created.
Security-AuditingEvent ID 4754A security-enabled universal group was created.
Security-AuditingEvent ID 4756A member was added to a security-enabled universal group.
Security-AuditingEvent ID 4759A security-disabled universal group was created.
Security-AuditingEvent ID 4781The name of an account was changed.
Security-AuditingEvent ID 4783A basic application group was created.
Security-AuditingEvent ID 4790An LDAP query group was created.
Security-AuditingEvent ID 5137A directory service object was created.
Defender-DeviceProcessEventsanyProcess activity (any)
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 44 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (36 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine19contains 13, match 3, regex_match 3, in 2add, user, (?i)(\-u)|(user)|(localgroup)|(group), (?i).add, (?i)searchroot|objectcategory=|userenum
EventID13eq 11, in 24688, 4104, 1, 4720, 4727
Image7ends_with 6, eq 1, regex_match 1\net.exe, \net1.exe, \lsass.exe, net(|1)\.exe$, net.exe
TargetUserName7eq 4, ends_with 3, contains 1, in 1$, Administrators, Account Operators, Admins DNS, ESX Admins
Channel4eq 4, in 4
OriginalFileName4eq 4net1.exe, net.exe
ScriptBlockText4contains 3, in 1*install-module -name aadinternals*, *install-module -name az.resources*, *install-module -name azuread*, esx admins, new-adgroup
eventtype4eq 4
Type3eq 3
process_name3eq 3net1.exe, net.exe
All_Changes.result_id2eq 24720, 4726
SubjectUserName2ends_with 2$
SubjectUserSid2starts_with 2S-1-5-21-
TargetObject2contains 1, ends_with 1, wildcard 1$\(default), \registry\machine\sam\sam\domains\account\users\names\*$\, \sam\sam\domains\account\users\names\, hklm\sam\sam\domains\account\users\names\*$\, machine\sam\sam\domains\account\users\names\*$\
event.type2eq 1, in 1change, creation, start

Top indicator values (151 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
add
536
CommandLinecontains
user
516
CommandLinecontains
/add
210
CommandLinecontains
-group
13
CommandLinecontains
/add
15
CommandLinecontains
user
12
CommandLinecontains
-encodedcommand
13
CommandLinecontains
./client/common/
1
CommandLinecontains
.\client\common\
1
Imageends_with
\net.exe
550
Imageends_with
\net1.exe
548
EventIDeq
4688
4312
EventIDeq
4104
3268
EventIDeq
1
2232
EventIDeq
4720
25
EventIDeq
4732
24
OriginalFileNameeq
net1.exe
443
OriginalFileNameeq
net.exe
227
CommandLinematch
(?i)(\-u)|(user)|(localgroup)|(group)
33
CommandLinematch
(?i).add
33
CommandLineregex_match
(?i)searchroot|objectcategory=|userenum
33
TargetUserNameends_with
$
39
process_nameeq
net1.exe
334
All_Changes.result_ideq
4720
22
All_Changes.result_ideq
4726
1
EventIDin
4727
24
SubjectUserNameends_with
$
237
SubjectUserSidstarts_with
S-1-5-21-
25
signature_idmatch
(?i)4720
22
user_groupmatch
(?i)(users)|(administrators)|(remote)
22

Exclusions (11 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
parent_process_nameeq
net.exe
2
Computereq
%domain_controllers%
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
OldTargetUserNameends_with
$
1
ParentCommandLinecross_field_compare
ProcessCommandLine
1
ParentImagecontains
gc_service.exe
1
ParentImagecontains
gc_worker.exe
1
PrivilegeListeq
-
1
TargetUserNameeq
HomeGroupUser$
1
file_nameeq
net1.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 20 rules

Elastic 3 rules

Splunk 17 rules

Kusto 3 rules

YARA-L 1 rule