T1136.001 IBM QRadar · QRadar

Detect Local Account in IBM QRadar

Adversaries may create a local account to maintain persistent access to victim systems. Local accounts can be created using built-in OS commands such as net user /add (Windows), useradd or adduser (Linux), or dscl -create (macOS). Adversaries including Wizard Spider, APT5, Fox Kitten, TeamTNT, and FIN13 have used this technique to establish secondary access that survives credential rotation and does not require persistent remote access tools. Created accounts are often added to the local Administrators group to maximize their utility. Common naming patterns observed in the wild include service-like names (supportaccount, HelpAssistant) designed to blend with legitimate accounts.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Sub-technique
T1136.001 Local Account
Canonical reference
https://attack.mitre.org/techniques/T1136/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username AS subject_user,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Account_Name" AS created_account,
  "Group_Name" AS target_group,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("Account_Name") MATCHES '(support|helpdesk|helpasst|helpassist|admin|svc|service|backup|test|temp|guest|user1|user2|anonymous)' THEN 1
    ELSE 0
  END AS suspicious_name_flag,
  CASE
    WHEN EXTRACT(HOUR FROM starttime) < 7 OR EXTRACT(HOUR FROM starttime) >= 20 THEN 1
    ELSE 0
  END AS off_hours_flag,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (eventid = 4720)
    OR (eventid = 4732 AND "Group_Name" IN ('Administrators', 'Remote Desktop Users', 'Remote Management Users', 'Backup Operators'))
    OR (eventid = 1 AND ("CommandLine" ILIKE '%net.exe%' OR "CommandLine" ILIKE '%net1.exe%') AND "CommandLine" ILIKE '%user%' AND "CommandLine" ILIKE '%/add%')
  )
  AND starttime > DATEADD('day', -1, NOW())
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

Detects local account creation via Windows Security Event 4720, privileged group membership addition via Event 4732, and process-based detection of net.exe /add commands via Sysmon Event 1. Includes scoring for suspicious account names and off-hours activity.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Microsoft Sysmon DSMWindows hosts forwarding to QRadar via WinCollect or syslog

Required Tables

events

False Positives & Tuning

  • Help desk staff creating local break-glass accounts on servers during planned maintenance windows
  • Build automation pipelines that spin up local accounts for CI runners or test environments
  • Software installers that create dedicated local service accounts (e.g., SQL Server, backup agents)
Download portable Sigma rule (.yml)

Other platforms for T1136.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Local User Account with Net User

    Expected signal: Security Event ID 4720 in Windows Security log: TargetUserName=df00testuser, SubjectUserName=<current admin account>. Sysmon Event ID 1: Image=net.exe or net1.exe, CommandLine containing 'user df00testuser /add'. Security Event ID 4722 (account enabled) will follow immediately.

  2. Test 2Create Local Account and Add to Administrators Group

    Expected signal: Security Event ID 4720: account df00admintest created. Security Event ID 4732: member df00admintest added to Administrators group. Sysmon Event ID 1: two sequential net.exe process creation events — one with 'user /add' and one with 'localgroup Administrators /add'. The two events will be within seconds of each other on the same host.

  3. Test 3Create Local Account via PowerShell New-LocalUser

    Expected signal: Security Event ID 4720: TargetUserName=df00pstest, SubjectUserName=<current user>. Security Event ID 4732: member df00pstest added to Administrators group. Sysmon Event ID 1: powershell.exe process with CommandLine containing 'New-LocalUser' and 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 will capture the full cmdlet invocations with all parameters.

  4. Test 4Create Local Account on Linux with useradd

    Expected signal: auditd SYSCALL records for execve of /usr/sbin/useradd with arguments '-m -s /bin/bash -G sudo df00linuxtest'. syslog or auth.log entry: 'new user: name=df00linuxtest, UID=<uid>, GID=<gid>, home=/home/df00linuxtest, shell=/bin/bash'. auditd USER_MGMT type record for account creation. /etc/passwd and /etc/shadow modification events if file auditing is enabled.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1136.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1136Create Account

Related Sub-techniques

T1136.002Domain AccountT1136.003Cloud Account

Related Techniques

T1136Create AccountT1136.002Domain AccountT1078.003Local AccountsT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1003.002Security Account ManagerT1098Account ManipulationT1070.001Clear Windows Event Logs

Same Tactic: Persistence

Popular Detections