Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Sigma rule (View on GitHub)
1title: Local User Creation
2id: 66b6be3d-55d0-4f47-9855-d69df21740ea
3status: test
4description: |
5 Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
6references:
7 - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
8author: Patrick Bareiss
9date: 2019/04/18
10modified: 2021/01/17
11tags:
12 - attack.persistence
13 - attack.t1136.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4720
20 condition: selection
21falsepositives:
22 - Domain Controller Logs
23 - Local accounts managed by privileged account management tools
24level: low
References
-
In this blog post, I will introduce a new Sigma Use Case detecting local user creation in an Active Directory (AD) environment. The creation of a new user creates a Windows Event Log of Type Security with the Event Code 4720. In an AD environment, only domain controller should create these Windows Event Logs. By […]
Read More
Related rules
- Hidden Local User Creation
- DarkGate - User Created Via Net.EXE
- New User Created Via Net.EXE With Never Expire Option
- Creation of a Local Hidden User Account by Registry
- Privileged User Has Been Created