T1136.001 Local Account Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Branch 1: Windows Security Event 4720 — A user account was created
let AccountCreationEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| extend CreatedAccount = TargetUserName
| extend CreatedBy = SubjectUserName
| extend CreatedByDomain = SubjectDomainName
| extend CreatedOnHost = Computer
| project TimeGenerated, EventID, CreatedAccount, CreatedBy, CreatedByDomain, CreatedOnHost, Activity;
// Branch 2: Account added to local Administrators or privileged group (Event 4732) within 10 minutes of creation
let GroupAddEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4732
| where TargetUserName in~ ("Administrators", "Remote Desktop Users", "Remote Management Users", "Backup Operators")
| extend AddedAccount = MemberName
| extend AddedToGroup = TargetUserName
| extend AddedBy = SubjectUserName
| project TimeGenerated, EventID, AddedAccount, AddedToGroup, AddedBy, Computer;
// Branch 3: Process-based detection — net user /add via command line
let NetUserAddEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "net.exe" or FileName =~ "net1.exe")
| where ProcessCommandLine has_any ("user ", "/add")
| where ProcessCommandLine has "/add"
| extend SuspiciousParent = InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SuspiciousParent;
// Combine and surface all results
union
  (AccountCreationEvents | extend DetectionBranch = "SecurityEvent_4720"),
  (GroupAddEvents | extend DetectionBranch = "SecurityEvent_4732_GroupAdd"),
  (NetUserAddEvents | extend DetectionBranch = "DeviceProcessEvents_NetUserAdd")
| sort by TimeGenerated desc

high severity high confidence

Data Sources

User Account: User Account Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

IT helpdesk or system administrators creating local service accounts for new application deployments or onboarding workflows
Software installers (e.g., SQL Server, IIS, application suites) that create dedicated local service accounts during setup
Configuration management tooling (Ansible, Chef, Puppet, DSC) that enforces a local account policy and creates or recreates accounts as part of a run
Domain join workflows that briefly create local accounts before applying domain policy
Automated provisioning systems creating local break-glass administrator accounts per a documented runbook

Splunk

spl

| union
  [ search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
    | eval DetectionBranch="SecurityEvent_4720"
    | eval CreatedAccount=mvindex(split(Account_Name, "\\"), -1)
    | eval CreatedBy=mvindex(split(Security_ID, "\\"), -1)
    | eval SuspiciousName=if(match(lower(CreatedAccount), "(support|helpdesk|helpasst|helpassist|admin|svc|service|backup|test|temp|guest|user1|user2|anonymous)"), 1, 0)
    | table _time, host, EventCode, CreatedAccount, CreatedBy, SuspiciousName, DetectionBranch ]
  [ search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4732
    (Group_Name="Administrators" OR Group_Name="Remote Desktop Users" OR Group_Name="Remote Management Users" OR Group_Name="Backup Operators")
    | eval DetectionBranch="SecurityEvent_4732_GroupAdd"
    | eval AddedAccount=mvindex(split(Member_Name, "\\"), -1)
    | table _time, host, EventCode, AddedAccount, Group_Name, Subject_Account_Name, DetectionBranch ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\net.exe" OR Image="*\\net1.exe")
    CommandLine="* user *" CommandLine="*/add*"
    | eval DetectionBranch="Sysmon_NetUserAdd"
    | eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|cmd)"), 1, 0)
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, DetectionBranch ]
| eval AccountName=coalesce(CreatedAccount, AddedAccount, User)
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour >= 20, 1, 0)
| eval SuspicionScore=coalesce(SuspiciousName, 0) + coalesce(SuspiciousParent, 0) + OffHours
| table _time, host, AccountName, DetectionBranch, SuspicionScore, CommandLine, ParentImage, Group_Name
| sort - _time

high severity high confidence

Data Sources

User Account: User Account Creation Process: Process Creation Command: Command Execution Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk or system administrators creating local service accounts for new application deployments or onboarding workflows
Software installers (e.g., SQL Server, IIS, application suites) that create dedicated local service accounts during setup
Configuration management tooling (Ansible, Chef, Puppet, DSC) that enforces a local account policy and creates or recreates accounts as part of a run
Automated provisioning systems creating local break-glass administrator accounts per a documented runbook
Developer workstations where engineers create local test accounts during application development

Elastic Security (EQL)

eql

sequence by host.name with maxspan=10m
  [iam where event.action == "added-user-account" and event.code == "4720"
   | where host.os.type == "windows"
  ]
  [iam where event.action == "added-member-to-group" and event.code == "4732"
   | where group.name in~ ("Administrators", "Remote Desktop Users", "Remote Management Users", "Backup Operators")
  ]

OR

process where event.type == "start"
  and process.name in~ ("net.exe", "net1.exe")
  and process.args : ("user", "/add")
  and process.args : "/add"
  and process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")

high severity high confidence

Data Sources

Windows Security Event Logs (forwarded via Winlogbeat or Elastic Agent) Elastic Endpoint (process telemetry)

Required Tables

logs-system.security* logs-endpoint.events.process* .ds-logs-*

False Positives

IT administrators creating local service accounts during planned provisioning or onboarding workflows
Automated deployment tools (Ansible, SCCM, Chef) that create local accounts as part of application setup
Domain join processes that create accounts like DefaultAccount or WDAGUtilityAccount on fresh builds

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username AS subject_user,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Account_Name" AS created_account,
  "Group_Name" AS target_group,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("Account_Name") MATCHES '(support|helpdesk|helpasst|helpassist|admin|svc|service|backup|test|temp|guest|user1|user2|anonymous)' THEN 1
    ELSE 0
  END AS suspicious_name_flag,
  CASE
    WHEN EXTRACT(HOUR FROM starttime) < 7 OR EXTRACT(HOUR FROM starttime) >= 20 THEN 1
    ELSE 0
  END AS off_hours_flag,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (eventid = 4720)
    OR (eventid = 4732 AND "Group_Name" IN ('Administrators', 'Remote Desktop Users', 'Remote Management Users', 'Backup Operators'))
    OR (eventid = 1 AND ("CommandLine" ILIKE '%net.exe%' OR "CommandLine" ILIKE '%net1.exe%') AND "CommandLine" ILIKE '%user%' AND "CommandLine" ILIKE '%/add%')
  )
  AND starttime > DATEADD('day', -1, NOW())
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Microsoft Sysmon DSM Windows hosts forwarding to QRadar via WinCollect or syslog

Required Tables

events

False Positives

Help desk staff creating local break-glass accounts on servers during planned maintenance windows
Build automation pipelines that spin up local accounts for CI runners or test environments
Software installers that create dedicated local service accounts (e.g., SQL Server, backup agents)

Sumo Logic CSE

sql

((_sourceCategory=*windows* OR _sourceCategory=*WinEventLog* OR _sourceCategory=*sysmon*)
 AND (EventCode=4720 OR EventCode=4732 OR (EventCode=1 AND (Image=*\\net.exe OR Image=*\\net1.exe))))
| parse "EventCode=*" as EventCode nodrop
| parse "Account_Name:\t\t*" as CreatedAccount nodrop
| parse "Group_Name:\t\t*" as GroupName nodrop
| parse "CommandLine:\t*" as CommandLine nodrop
| parse "Image:\t*" as Image nodrop
| parse "ParentImage:\t*" as ParentImage nodrop
| parse "Computer:\t*" as host nodrop
| where (EventCode = "4720")
  OR (EventCode = "4732" AND (GroupName = "Administrators" OR GroupName = "Remote Desktop Users" OR GroupName = "Remote Management Users" OR GroupName = "Backup Operators"))
  OR (EventCode = "1" AND (CommandLine matches "(?i).*\\buser\\b.*" AND CommandLine matches "(?i).*/add.*"))
| eval SuspiciousName = if(matches(toLowerCase(CreatedAccount), ".*(support|helpdesk|helpasst|helpassist|admin|svc|service|backup|test|temp|guest|user1|user2|anonymous).*"), 1, 0)
| eval SuspiciousParent = if(matches(toLowerCase(ParentImage), ".*(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|cmd).*"), 1, 0)
| eval Hour = format("%tH", _messageTime)
| eval OffHours = if(num(Hour) < 7 OR num(Hour) >= 20, 1, 0)
| eval SuspicionScore = SuspiciousName + SuspiciousParent + OffHours
| eval DetectionBranch = if(EventCode = "4720", "SecurityEvent_4720",
    if(EventCode = "4732", "SecurityEvent_4732_GroupAdd",
    if(EventCode = "1", "Sysmon_NetUserAdd", "Unknown")))
| fields _messagetime, host, EventCode, DetectionBranch, CreatedAccount, GroupName, CommandLine, ParentImage, SuspicionScore
| sort by _messagetime desc

high severity medium confidence

Data Sources

Windows Security Event Logs ingested via Sumo Logic Windows Event Log Source Sysmon operational logs via Sumo Logic Installed Collector

Required Tables

WinEventLog:Security (index) XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (index)

False Positives

IT provisioning scripts creating local admin accounts during new server builds or OS deployments
Backup software agents (Veeam, Commvault) that create local service accounts during installation
Pentest tools or red team exercises conducted without proper exclusion filters applied

Google Chronicle / SecOps

yaral

rule T1136_001_local_account_creation {
  meta:
    name = "T1136.001 - Local Account Creation"
    description = "Detects creation of local user accounts via Security Event 4720, privileged group addition via 4732, or net.exe /add command execution. Adversaries create local accounts to maintain persistent access."
    author = "Argus Detection Engineering"
    technique = "T1136.001"
    tactic = "TA0003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Branch 1: Windows Security Event 4720 - Account Created
      $e1.metadata.event_type = "USER_CREATION"
      $e1.metadata.product_event_type = "4720"
      $e1.target.user.userid = $created_account
      $e1.principal.user.userid = $subject_user
      $e1.principal.hostname = $hostname
    )
    OR
    (
      // Branch 2: Account added to privileged local group (Event 4732)
      $e1.metadata.event_type = "GROUP_MODIFICATION"
      $e1.metadata.product_event_type = "4732"
      $e1.target.group.group_display_name in (
        "Administrators",
        "Remote Desktop Users",
        "Remote Management Users",
        "Backup Operators"
      )
      $e1.principal.hostname = $hostname
    )
    OR
    (
      // Branch 3: net.exe /add process-based detection
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.target.process.file.full_path = /(?i)(\\net\.exe|\\net1\.exe)$/
      $e1.target.process.command_line = /(?i).*user.*/
      $e1.target.process.command_line = /(?i).*\/add.*/
      $e1.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/
      $e1.principal.hostname = $hostname
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Windows Event Logs ingested via Chronicle Forwarder or BindPlane Microsoft Defender for Endpoint telemetry via Chronicle integration Sysmon logs forwarded to Chronicle

Required Tables

UDM events with metadata.event_type USER_CREATION UDM events with metadata.event_type GROUP_MODIFICATION UDM events with metadata.event_type PROCESS_LAUNCH

False Positives

Active Directory-integrated provisioning tools that create local fallback admin accounts on domain-joined servers
Cloud init scripts or VM customization extensions (Azure CustomScript, AWS SSM) creating local admin accounts during instance startup
Security baseline tooling that creates dedicated local audit or monitoring accounts as part of CIS hardening

CrowdStrike LogScale (CQL)

cql

// Branch 1 & 2: Windows Security Events 4720 and 4732 via UserAccountControl or audit logs
#event_simpleName = "UserAccountCreated" OR #event_simpleName = "GroupMemberAdded"
| eval DetectionBranch = case(
    #event_simpleName == "UserAccountCreated", "UserAccount_Created_4720",
    #event_simpleName == "GroupMemberAdded" AND TargetGroupName IN ("Administrators", "Remote Desktop Users", "Remote Management Users", "Backup Operators"), "PrivGroup_Add_4732",
    true, "Other"
  )
| where DetectionBranch != "Other"
| table _timeutc, ComputerName, UserName, TargetUserName, TargetGroupName, SubjectUserName, DetectionBranch

OR

// Branch 3: Process-based detection via Falcon ProcessRollup2
#event_simpleName = "ProcessRollup2"
| where FileName in~ ("net.exe", "net1.exe")
| where CommandLine = /(?i).*\buser\b.*\/add.*/
| where ParentBaseFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| eval SuspiciousParent = 1
| eval DetectionBranch = "ProcessBased_NetUserAdd"
| table _timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SuspiciousParent, DetectionBranch

// Unified view across all branches - combine results and sort
| groupBy([ComputerName, DetectionBranch], function=[
    count(as=EventCount),
    min(_timeutc, as=FirstSeen),
    max(_timeutc, as=LastSeen)
  ])
| sort LastSeen desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (ProcessRollup2) CrowdStrike Falcon Identity Protection or Falcon Insight (UserAccountCreated, GroupMemberAdded events)

Required Tables

ProcessRollup2 UserAccountCreated GroupMemberAdded

False Positives

IT asset management workflows that automatically create local admin accounts for out-of-band management on servers without domain connectivity
Application installers running as SYSTEM that create dedicated local service accounts (e.g., database engines, monitoring agents)
Vulnerability scanners or compliance tools that create temporary local accounts during authenticated scanning and clean them up afterward

Local Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections