Detect Local Account in Splunk
Adversaries may create a local account to maintain persistent access to victim systems. Local accounts can be created using built-in OS commands such as net user /add (Windows), useradd or adduser (Linux), or dscl -create (macOS). Adversaries including Wizard Spider, APT5, Fox Kitten, TeamTNT, and FIN13 have used this technique to establish secondary access that survives credential rotation and does not require persistent remote access tools. Created accounts are often added to the local Administrators group to maximize their utility. Common naming patterns observed in the wild include service-like names (supportaccount, HelpAssistant) designed to blend with legitimate accounts.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Sub-technique
- T1136.001 Local Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/001/
SPL Detection Query
| union
[ search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| eval DetectionBranch="SecurityEvent_4720"
| eval CreatedAccount=mvindex(split(Account_Name, "\\"), -1)
| eval CreatedBy=mvindex(split(Security_ID, "\\"), -1)
| eval SuspiciousName=if(match(lower(CreatedAccount), "(support|helpdesk|helpasst|helpassist|admin|svc|service|backup|test|temp|guest|user1|user2|anonymous)"), 1, 0)
| table _time, host, EventCode, CreatedAccount, CreatedBy, SuspiciousName, DetectionBranch ]
[ search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4732
(Group_Name="Administrators" OR Group_Name="Remote Desktop Users" OR Group_Name="Remote Management Users" OR Group_Name="Backup Operators")
| eval DetectionBranch="SecurityEvent_4732_GroupAdd"
| eval AddedAccount=mvindex(split(Member_Name, "\\"), -1)
| table _time, host, EventCode, AddedAccount, Group_Name, Subject_Account_Name, DetectionBranch ]
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\net.exe" OR Image="*\\net1.exe")
CommandLine="* user *" CommandLine="*/add*"
| eval DetectionBranch="Sysmon_NetUserAdd"
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|cmd)"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousParent, DetectionBranch ]
| eval AccountName=coalesce(CreatedAccount, AddedAccount, User)
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour >= 20, 1, 0)
| eval SuspicionScore=coalesce(SuspiciousName, 0) + coalesce(SuspiciousParent, 0) + OffHours
| table _time, host, AccountName, DetectionBranch, SuspicionScore, CommandLine, ParentImage, Group_Name
| sort - _timeDetects local account creation using three complementary detection branches across Security event logs and Sysmon: (1) Windows Security Event 4720 for direct account creation telemetry with suspicious name pattern scoring; (2) Security Event 4732 for accounts immediately added to Administrators or other privileged groups; (3) Sysmon Event ID 1 for net.exe/net1.exe /add command lines with parent process context. A suspicion score is calculated from suspicious account name patterns, suspicious parent processes, and off-hours activity to help analysts prioritize.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT helpdesk or system administrators creating local service accounts for new application deployments or onboarding workflows
- Software installers (e.g., SQL Server, IIS, application suites) that create dedicated local service accounts during setup
- Configuration management tooling (Ansible, Chef, Puppet, DSC) that enforces a local account policy and creates or recreates accounts as part of a run
- Automated provisioning systems creating local break-glass administrator accounts per a documented runbook
- Developer workstations where engineers create local test accounts during application development
Other platforms for T1136.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Local User Account with Net User
Expected signal: Security Event ID 4720 in Windows Security log: TargetUserName=df00testuser, SubjectUserName=<current admin account>. Sysmon Event ID 1: Image=net.exe or net1.exe, CommandLine containing 'user df00testuser /add'. Security Event ID 4722 (account enabled) will follow immediately.
- Test 2Create Local Account and Add to Administrators Group
Expected signal: Security Event ID 4720: account df00admintest created. Security Event ID 4732: member df00admintest added to Administrators group. Sysmon Event ID 1: two sequential net.exe process creation events — one with 'user /add' and one with 'localgroup Administrators /add'. The two events will be within seconds of each other on the same host.
- Test 3Create Local Account via PowerShell New-LocalUser
Expected signal: Security Event ID 4720: TargetUserName=df00pstest, SubjectUserName=<current user>. Security Event ID 4732: member df00pstest added to Administrators group. Sysmon Event ID 1: powershell.exe process with CommandLine containing 'New-LocalUser' and 'Add-LocalGroupMember'. PowerShell ScriptBlock Log Event ID 4104 will capture the full cmdlet invocations with all parameters.
- Test 4Create Local Account on Linux with useradd
Expected signal: auditd SYSCALL records for execve of /usr/sbin/useradd with arguments '-m -s /bin/bash -G sudo df00linuxtest'. syslog or auth.log entry: 'new user: name=df00linuxtest, UID=<uid>, GID=<gid>, home=/home/df00linuxtest, shell=/bin/bash'. auditd USER_MGMT type record for account creation. /etc/passwd and /etc/shadow modification events if file auditing is enabled.
References (10)
- https://attack.mitre.org/techniques/T1136/001/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
- https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-entities
- https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day
- https://intezer.com/blog/research/hiddenwasp-malware-targeting-linux-systems/
- https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
- https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/
Unlock Pro Content
Get the full detection package for T1136.001 including response playbook, investigation guide, and atomic red team tests.