Windows User Account Creation

 1[metadata]
 2creation_date = "2021/01/04"
 3integration = ["system", "windows"]
 4maturity = "development"
 5updated_date = "2025/02/21"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Skoetting"]
11description = """
12Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access
13to a system or domain.
14"""
15false_positives = [
16    """
17    Legitimate local user creations may be done by a system or network administrator. Verify whether this is known
18    behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known
19    behavior is causing false positives, it can be exempted from the rule.
20    """,
21]
22index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Windows User Account Creation"
26risk_score = 21
27rule_id = "38e17753-f581-4644-84da-0d60a8318694"
28severity = "low"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.module:("system" or "security") and winlog.api:"wineventlog" and
35  (event.code:"4720" or event.action:"added-user-account")
36'''
37note = """## Triage and analysis
38
39> **Disclaimer**:
40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
41
42### Investigating Windows User Account Creation
43
44Windows user accounts are essential for managing access and permissions within a system or domain. Adversaries may exploit this by creating unauthorized accounts to maintain persistence or escalate privileges. The detection rule leverages event logs, specifically targeting account creation events, to identify suspicious activities. By monitoring these logs, security analysts can detect and respond to potential threats effectively.
45
46### Possible investigation steps
47
48- Review the event logs for event.code "4720" or event.action "added-user-account" to identify the specific account creation event.
49- Determine the source of the account creation by examining the event.module field to see if it originated from the "system" or "security" module.
50- Identify the user account that initiated the account creation by checking the associated user information in the event logs.
51- Investigate the context around the time of the account creation event, such as other related events or anomalies, to assess if it aligns with normal administrative activities.
52- Check for any recent privilege escalation activities or changes in user permissions that might be associated with the newly created account.
53- Correlate the account creation event with other security alerts or logs to identify potential patterns of malicious behavior or persistence tactics.
54
55### False positive analysis
56
57- Routine administrative tasks may trigger account creation events. Regularly review and document legitimate administrative activities to differentiate them from suspicious actions.
58- Automated scripts or software installations that create user accounts can generate false positives. Identify and whitelist these processes to prevent unnecessary alerts.
59- Temporary accounts for contractors or short-term projects might be flagged. Implement a naming convention for such accounts and exclude them from alerts based on this pattern.
60- System updates or patches that involve account creation could be misinterpreted as threats. Monitor update schedules and correlate them with account creation events to verify legitimacy.
61- Accounts created by trusted third-party management tools should be recognized and excluded. Maintain an updated list of these tools and configure exceptions accordingly.
62
63### Response and remediation
64
65- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
66- Review the newly created user account details, including the username, creation time, and associated privileges, to assess the potential impact and scope of the threat.
67- Disable or delete the unauthorized user account to eliminate the adversary's persistence mechanism.
68- Conduct a thorough review of recent account creation logs and correlate with other security events to identify any additional unauthorized accounts or related suspicious activities.
69- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
70- Implement enhanced monitoring and alerting for account creation events, focusing on unusual patterns or deviations from normal behavior to improve early detection of similar threats.
71- Review and update access control policies and user account management procedures to prevent unauthorized account creation and ensure adherence to the principle of least privilege."""
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1136"
78name = "Create Account"
79reference = "https://attack.mitre.org/techniques/T1136/"
80[[rule.threat.technique.subtechnique]]
81id = "T1136.001"
82name = "Local Account"
83reference = "https://attack.mitre.org/techniques/T1136/001/"
84
85[[rule.threat.technique.subtechnique]]
86id = "T1136.002"
87name = "Domain Account"
88reference = "https://attack.mitre.org/techniques/T1136/002/"
89
90
91
92[rule.threat.tactic]
93id = "TA0003"
94name = "Persistence"
95reference = "https://attack.mitre.org/tactics/TA0003/"