T1136 Create Account Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1136 — Create Account: Multi-platform account creation detection
// Covers: Windows local/domain accounts (Security Event 4720), WMIC-based creation, net.exe, PowerShell cmdlets, Linux useradd, Azure AD
let SuspiciousAccountNames = dynamic(["a", "admin1", "support", "helpdesk", "svc", "test", "user", "guest1", "temp"]);
let SuspiciousParentProcesses = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"]);
// Branch 1: Windows Security Event 4720 (User Account Created)
let WindowsAccountCreation =
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| extend NewAccountName = tostring(TargetUserName)
| extend CreatedBy = tostring(SubjectUserName)
| extend CreatedByDomain = tostring(SubjectDomainName)
| extend TargetDomain = tostring(TargetDomainName)
| extend ShortAccountName = tolower(NewAccountName) in (SuspiciousAccountNames)
| extend IsServiceAccount = NewAccountName startswith "svc-" or NewAccountName startswith "srv-"
| extend OffHours = hourofday(TimeGenerated) < 7 or hourofday(TimeGenerated) > 19
| project TimeGenerated, Computer, EventID, NewAccountName, CreatedBy, CreatedByDomain, TargetDomain,
          ShortAccountName, IsServiceAccount, OffHours,
          Source="Windows-Security-4720";
// Branch 2: Process-based account creation (net user, wmic, PowerShell New-LocalUser)
let ProcessAccountCreation =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" or FileName =~ "net1.exe") and ProcessCommandLine has "user" and ProcessCommandLine has "/add"
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "useraccount" and ProcessCommandLine has "create")
    or (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and (
        ProcessCommandLine has "New-LocalUser" or ProcessCommandLine has "net user" and ProcessCommandLine has "/add"
    )
    or (FileName =~ "useradd" or FileName =~ "adduser")
  )
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParentProcesses)
| extend OffHours = hourofday(Timestamp) < 7 or hourofday(Timestamp) > 19
| project TimeGenerated=Timestamp, Computer=DeviceName, EventID=0, NewAccountName="",
          CreatedBy=AccountName, CreatedByDomain="", TargetDomain="",
          ShortAccountName=false, IsServiceAccount=false, OffHours,
          ProcessCommandLine, InitiatingProcessFileName,
          SuspiciousParent, Source="ProcessCreate";
// Union results and surface high-confidence indicators
WindowsAccountCreation
| extend ProcessCommandLine="", InitiatingProcessFileName="", SuspiciousParent=false
| union ProcessAccountCreation
| extend RiskScore = toint(ShortAccountName) + toint(OffHours) + toint(SuspiciousParent)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

User Account: User Account Creation Process: Process Creation Command: Command Execution Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

IT provisioning scripts that create service accounts or user accounts during onboarding workflows
Software installers that create local service accounts (e.g., backup agents, monitoring tools like Datadog, SolarWinds)
Domain join processes that create computer accounts triggering related audit events
Automated testing infrastructure that creates and removes ephemeral accounts
Password reset or account unlock scripts using net.exe that get flagged on the process branch

Splunk

spl

| union
[
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| eval NewAccountName=mvindex(split(Message, "Account Name:"), 2)
| eval NewAccountName=trim(mvindex(split(NewAccountName, "\n"), 0))
| eval CreatedBy=mvindex(split(Message, "Account Name:"), 1)
| eval CreatedBy=trim(mvindex(split(CreatedBy, "\n"), 0))
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour > 19, 1, 0)
| eval ShortName=if(len(trim(NewAccountName)) <= 3, 1, 0)
| eval RiskScore=OffHours + ShortName
| eval Source="Security-4720"
| table _time, host, EventCode, NewAccountName, CreatedBy, OffHours, ShortName, RiskScore, Source
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  ((Image="*\\net.exe" OR Image="*\\net1.exe") AND (CommandLine="* user *" AND CommandLine="*/add*"))
  OR (Image="*\\wmic.exe" AND CommandLine="*useraccount*" AND CommandLine="*create*")
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*New-LocalUser*" OR (CommandLine="*net user*" AND CommandLine="*/add*")))
  OR Image="*\\useradd"
  OR Image="*\\adduser"
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour > 19, 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval RiskScore=OffHours + SuspiciousParent
| eval Source="ProcessCreate"
| eval NewAccountName=""
| eval CreatedBy=User
| table _time, host, Image, CommandLine, ParentImage, User, OffHours, SuspiciousParent, RiskScore, Source
]
| sort - _time

high severity high confidence

Data Sources

User Account: User Account Creation Process: Process Creation Command: Command Execution Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT provisioning scripts that create service accounts or user accounts during onboarding workflows
Software installers that create local service accounts (e.g., backup agents, monitoring tools like Datadog, SolarWinds)
Automated testing infrastructure creating and removing ephemeral accounts
Domain join processes that trigger account creation audit events
Password reset or account management scripts using net.exe

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    (process.name in ("net.exe", "net1.exe") and process.args : "user" and process.args : "/add") or
    (process.name == "wmic.exe" and process.args : "useraccount" and process.args : "create") or
    (process.name in ("powershell.exe", "pwsh.exe") and (
      process.args : "New-LocalUser" or
      (process.args : "net" and process.args : "user" and process.args : "/add")
    )) or
    process.name in ("useradd", "adduser")
  )]

// Standalone: Windows Security Event 4720
any where event.code == "4720" and event.provider == "Microsoft-Windows-Security-Auditing"

high severity high confidence

Data Sources

Windows Security Event Logs Endpoint process telemetry (Elastic Agent/Winlogbeat) Linux auditd/syslog

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

IT administrators provisioning new employee accounts during onboarding
Automated scripts creating service accounts for legitimate software installations
Domain join or software setup processes that create local accounts (e.g., SQL Server, IIS app pool accounts)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "AccountName" AS new_account,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN HOUR(devicetime) < 7 OR HOUR(devicetime) > 19 THEN 1
    ELSE 0
  END AS off_hours_flag
FROM events
WHERE
  (
    -- Windows Security Event 4720: User Account Created
    (LOGSOURCETYPEID(logsourceid) = 12 AND qid = 4720)
    OR
    -- Sysmon Process Create (Event 1) matching account creation commands
    (
      LOGSOURCETYPEID(logsourceid) = 12 AND qid = 1 AND
      (
        ("CommandLine" ILIKE '%net user%/add%' OR "CommandLine" ILIKE '%net1 user%/add%') OR
        ("CommandLine" ILIKE '%wmic useraccount create%') OR
        ("CommandLine" ILIKE '%New-LocalUser%') OR
        ("Image" ILIKE '%\\useradd' OR "Image" ILIKE '%\\adduser')
      )
    )
  )
  AND LOGSOURCEGROUPNAME(logsourceid) != 'Excluded Sources'
LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar Windows Security log source (DSM) Sysmon operational logs via Windows Log Source Linux OS log source

Required Tables

events

False Positives

IT helpdesk provisioning accounts for new hires via standard tooling
Software installers creating local service accounts (e.g., database engines, monitoring agents)
Automated provisioning pipelines using net.exe or PowerShell during business hours

Sumo Logic CSE

sql

// Branch 1: Windows Security Event 4720
(_sourceCategory=*windows* OR _sourceCategory=*WinEventLog*)
| where EventID = "4720"
| parse field=Message "Account Name:*\n" as new_account_block multi
| parse field=new_account_block "*\t" as new_account_name
| parse field=Message "Subject:*Account Name:*\n" as subject_block
| eval new_account_name = trim(new_account_name)
| eval hour = num(formatDate(_messageTime, "H"))
| eval off_hours = if(hour < 7 OR hour > 19, 1, 0)
| eval short_name = if(length(trim(new_account_name)) <= 3, 1, 0)
| eval risk_score = off_hours + short_name
| eval source = "Security-4720"
| fields _messageTime, _sourceHost, EventID, new_account_name, off_hours, short_name, risk_score, source

// Branch 2: Sysmon Process Create (Event 1) — account creation via process
// Run as separate query and union manually or use union operator
// (_sourceCategory=*sysmon* OR _sourceCategory=*windows*)
// | where EventID = "1"
// | where (CommandLine matches /(?i)net[1]?\.exe.*user.*\/add/) 
//      OR (CommandLine matches /(?i)wmic.*useraccount.*create/)
//      OR (CommandLine matches /(?i)(powershell|pwsh).*New-LocalUser/)
//      OR (Image matches /useradd|adduser/)
// | eval hour = num(formatDate(_messageTime, "H"))
// | eval off_hours = if(hour < 7 OR hour > 19, 1, 0)
// | eval suspicious_parent = if(ParentImage matches /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32)\.exe/, 1, 0)
// | eval risk_score = off_hours + suspicious_parent
// | eval source = "ProcessCreate"
// | fields _messageTime, _sourceHost, EventID, Image, CommandLine, ParentImage, User, off_hours, suspicious_parent, risk_score, source

| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Event Logs (Security) Sysmon Operational Logs Linux syslog / auditd

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*linux*

False Positives

IT provisioning systems creating accounts for new employees during business hours
CI/CD pipelines or deployment scripts creating service accounts as part of application setup
Security products or EDR agents creating local accounts for their own operation

Google Chronicle / SecOps

yaral

rule t1136_create_account {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects account creation activity covering Windows Security Event 4720, process-based creation via net.exe/wmic/PowerShell, and Linux useradd. Maps to MITRE ATT&CK T1136."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1136"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Branch 1: Windows Security Event 4720 (User Account Created)
      $e.metadata.event_type = "USER_CREATION" and
      $e.metadata.product_event_type = "4720" and
      $e.principal.hostname != ""
    )
    or
    (
      // Branch 2: net.exe or net1.exe /add
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.file.full_path, `(?i)(net|net1)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)user.*/add`)
      )
    )
    or
    (
      // Branch 3: wmic useraccount create
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`) and
      re.regex($e.target.process.command_line, `(?i)useraccount.*create`)
    )
    or
    (
      // Branch 4: PowerShell New-LocalUser
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
      re.regex($e.target.process.command_line, `(?i)(New-LocalUser|net user.*\/add)`)
    )
    or
    (
      // Branch 5: Linux useradd / adduser
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)(useradd|adduser)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Windows Security Event forwarding Endpoint process telemetry via Chronicle ingestion

Required Tables

UDM events (USER_CREATION, PROCESS_LAUNCH)

False Positives

Authorized IT administration creating accounts through standard management consoles or scripts
Software deployments that create local service accounts (IIS, MSSQL, monitoring tools)
DevOps automation using PowerShell or CLI tools for infrastructure provisioning

CrowdStrike LogScale (CQL)

cql

// T1136 — Create Account: CrowdStrike LogScale (Falcon)
// Branch 1: Account creation via process events
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(net|net1|wmic|powershell|pwsh|useradd|adduser)\.exe$/
| CommandLine = /(?i)(user.*\/add|useraccount.*create|New-LocalUser|net user.*\/add)/
  OR FileName = /(?i)^(useradd|adduser)$/
| eval OffHours = if(hour(timestamp) < 7 OR hour(timestamp) > 19, true, false)
| eval SuspiciousParent = ParentBaseFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32)\.exe$/
| eval RiskScore = (if(OffHours, 1, 0) + if(SuspiciousParent, 1, 0))
| table([
    @timestamp,
    ComputerName,
    UserName,
    FileName,
    CommandLine,
    ParentBaseFileName,
    OffHours,
    SuspiciousParent,
    RiskScore
  ])
| sort(field=@timestamp, order=desc)

// Branch 2: UserAccountAdded event (Falcon identity telemetry)
// Uncomment if UserAccountAdded events are available in your Falcon data tier:
// #event_simpleName = "UserAccountAdded"
// | eval OffHours = if(hour(timestamp) < 7 OR hour(timestamp) > 19, true, false)
// | table([@timestamp, ComputerName, UserName, NewUserName, OffHours])
// | sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2) Falcon Identity Protection (UserAccountAdded) Falcon Event Stream

Required Tables

ProcessRollup2 UserAccountAdded (optional)

False Positives

IT administrators or scripts using net.exe to provision accounts during business hours
Endpoint provisioning systems running PowerShell-based account creation as part of imaging pipelines
Security or monitoring tools spawning child processes that invoke account management utilities

Create Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Persistence

Popular Detections