Windows User Account Creation

 1[metadata]
 2creation_date = "2021/01/04"
 3integration = ["system", "windows"]
 4maturity = "development"
 5updated_date = "2023/06/22"
 6
 7[rule]
 8author = ["Skoetting"]
 9description = """
10Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access
11to a system or domain.
12"""
13false_positives = [
14    """
15    Legitimate local user creations may be done by a system or network administrator. Verify whether this is known
16    behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known
17    behavior is causing false positives, it can be exempted from the rule.
18    """,
19]
20index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Windows User Account Creation"
24risk_score = 21
25rule_id = "38e17753-f581-4644-84da-0d60a8318694"
26severity = "low"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.module:("system" or "security") and winlog.api:"wineventlog" and
33  (event.code:"4720" or event.action:"added-user-account")
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1136"
41name = "Create Account"
42reference = "https://attack.mitre.org/techniques/T1136/"
43[[rule.threat.technique.subtechnique]]
44id = "T1136.001"
45name = "Local Account"
46reference = "https://attack.mitre.org/techniques/T1136/001/"
47
48[[rule.threat.technique.subtechnique]]
49id = "T1136.002"
50name = "Domain Account"
51reference = "https://attack.mitre.org/techniques/T1136/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"