Windows User Account Creation

 1[metadata]
 2creation_date = "2021/01/04"
 3integration = ["system", "windows"]
 4maturity = "development"
 5updated_date = "2024/10/28"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Skoetting"]
11description = """
12Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access
13to a system or domain.
14"""
15false_positives = [
16    """
17    Legitimate local user creations may be done by a system or network administrator. Verify whether this is known
18    behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known
19    behavior is causing false positives, it can be exempted from the rule.
20    """,
21]
22index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Windows User Account Creation"
26risk_score = 21
27rule_id = "38e17753-f581-4644-84da-0d60a8318694"
28severity = "low"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.module:("system" or "security") and winlog.api:"wineventlog" and
35  (event.code:"4720" or event.action:"added-user-account")
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1136"
43name = "Create Account"
44reference = "https://attack.mitre.org/techniques/T1136/"
45[[rule.threat.technique.subtechnique]]
46id = "T1136.001"
47name = "Local Account"
48reference = "https://attack.mitre.org/techniques/T1136/001/"
49
50[[rule.threat.technique.subtechnique]]
51id = "T1136.002"
52name = "Domain Account"
53reference = "https://attack.mitre.org/techniques/T1136/002/"
54
55
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"