T1136.002

Domain Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

Microsoft Sentinel / Defender

kusto

// Branch 1: Security Event 4720 — Domain account created (logged on Domain Controllers)
let Branch1 = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| where TargetDomainName != "WORKGROUP" and TargetDomainName != ""
| extend CreatedAccount = TargetUserName
| extend CreatingAccount = SubjectUserName
| extend CreatingDomain = SubjectDomainName
| extend AccountDomain = TargetDomainName
| project TimeGenerated, Computer, EventID, CreatedAccount, AccountDomain, CreatingAccount, CreatingDomain, Activity
| extend DetectionBranch = "SecurityEvent_4720";
// Branch 2: Security Event 4728 — Member added to security-enabled global group (e.g. Domain Admins)
let Branch2 = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4728
| where TargetUserName in~ ("Domain Admins", "Enterprise Admins", "Schema Admins", "Group Policy Creator Owners", "Administrators")
| extend AddedAccount = MemberName
| extend AddingAccount = SubjectUserName
| extend PrivilegedGroup = TargetUserName
| project TimeGenerated, Computer, EventID, AddedAccount, PrivilegedGroup, AddingAccount, Activity
| extend DetectionBranch = "SecurityEvent_4728_PrivGroup";
// Branch 3: Process-based detection — net.exe or dsadd.exe creating domain accounts
let Branch3 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe", "dsadd.exe")
| where ProcessCommandLine has_any ("/add", "/domain", "user")
| where (ProcessCommandLine has "/domain" and ProcessCommandLine has "/add")
   or ProcessCommandLine has "dsadd user"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionBranch = "ProcessCmdLine_NetAddDomain";
// Branch 4: PowerShell New-ADUser or Add-ADGroupMember for privileged groups
let Branch4 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("New-ADUser", "Add-ADGroupMember", "New-ADAccount")
| where ProcessCommandLine has_any ("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "-AccountPassword", "-Enabled $true")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionBranch = "PowerShell_NewADUser";
Branch1
| union (Branch2 | project TimeGenerated, Computer, DetectionBranch, tostring(AddedAccount), tostring(AddingAccount), tostring(PrivilegedGroup))
| union (Branch3 | project TimeGenerated=Timestamp, Computer=DeviceName, DetectionBranch, ProcessCommandLine, InitiatingProcessFileName)
| union (Branch4 | project TimeGenerated=Timestamp, Computer=DeviceName, DetectionBranch, ProcessCommandLine, InitiatingProcessFileName)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

User Account: User Account Creation Active Directory: Active Directory Object Creation Process: Process Creation Command: Command Execution Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Helpdesk and IT provisioning teams creating user accounts during onboarding workflows — especially common during business hours from known provisioning systems
Automated identity provisioning systems (Okta, SailPoint, Microsoft Identity Manager) that create AD accounts via scripted processes using net.exe or LDAP
Domain controller promotion and demotion processes that create service and machine accounts during infrastructure maintenance
Test account creation in dev/staging domains during application testing or DR exercises
Software installation routines that create domain service accounts (SQL Server, Exchange, SharePoint setup)

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
  (EventCode=4720 OR EventCode=4728 OR EventCode=4741)
| eval DetectionBranch=case(
    EventCode=4720, "DomainAccountCreated",
    EventCode=4728, "MemberAddedToGlobalGroup",
    EventCode=4741, "ComputerAccountCreated",
    true(), "Unknown"
  )
| eval CreatedAccount=coalesce(TargetUserName, MemberName)
| eval ActingAccount=SubjectUserName
| eval ActingDomain=SubjectDomainName
| eval TargetGroup=if(EventCode=4728, TargetUserName, null())
| eval IsPrivilegedGroup=if(match(TargetGroup, "(?i)(domain admins|enterprise admins|schema admins|group policy creator owners|administrators)"), 1, 0)
| eval SuspicionScore=case(
    EventCode=4720 AND match(ActingAccount, "(?i)(admin|svc|service|system)"), 2,
    EventCode=4720, 1,
    EventCode=4728 AND IsPrivilegedGroup=1, 3,
    EventCode=4728, 1,
    EventCode=4741, 1,
    true(), 0
  )
| where SuspicionScore > 0
| table _time, host, EventCode, DetectionBranch, CreatedAccount, ActingAccount, ActingDomain, TargetGroup, IsPrivilegedGroup, SuspicionScore
| sort - SuspicionScore, - _time

```
| appendcols
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (CommandLine="*net user*" AND CommandLine="*/add*" AND CommandLine="*/domain*")
     OR (CommandLine="*dsadd user*")
     OR (CommandLine="*New-ADUser*")
     OR (CommandLine="*Add-ADGroupMember*" AND (CommandLine="*Domain Admins*" OR CommandLine="*Enterprise Admins*"))
    | eval DetectionBranch="ProcessCmdLine_ADUser"
    | eval SuspicionScore=2
    | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, SuspicionScore]
```

high severity high confidence

Data Sources

User Account: User Account Creation Active Directory: Active Directory Object Creation Process: Process Creation Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Helpdesk and IT provisioning teams creating user accounts during onboarding workflows
Automated identity provisioning tools (Okta, SailPoint, Microsoft Identity Manager) running as service accounts
Domain controller infrastructure operations creating machine or service accounts
Software setup routines for enterprise applications (SQL Server, Exchange) that create domain service accounts
Security red team exercises or authorized penetration tests in production domains

Elastic Security (EQL)

eql

any where
  (
    // Branch 1: Security Event 4720 — Domain account created on Domain Controller
    (
      event.code == "4720" and
      winlog.event_data.TargetDomainName != null and
      winlog.event_data.TargetDomainName != "WORKGROUP" and
      winlog.event_data.TargetDomainName != ""
    )
    or
    // Branch 2: Security Event 4728 — Member added to privileged global security group
    (
      event.code == "4728" and
      winlog.event_data.TargetUserName in~ (
        "Domain Admins", "Enterprise Admins", "Schema Admins",
        "Group Policy Creator Owners", "Administrators"
      )
    )
    or
    // Branch 3: net.exe / net1.exe / dsadd.exe creating domain accounts via command line
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("net.exe", "net1.exe", "dsadd.exe") and
      (
        (process.command_line like~ "*/add*" and process.command_line like~ "*/domain*") or
        process.command_line like~ "*dsadd user*"
      )
    )
    or
    // Branch 4: PowerShell AD cmdlets creating or adding accounts to privileged groups
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.command_line like~ ("*New-ADUser*", "*Add-ADGroupMember*", "*New-ADAccount*") and
      process.command_line like~ (
        "*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*",
        "*Administrators*", "*-AccountPassword*", "*-Enabled $true*"
      )
    )
  )

high severity high confidence

Data Sources

Windows Security Event Logs via Winlogbeat or Elastic Agent Sysmon (process creation)

Required Tables

winlog (Windows Event Log index) logs-endpoint.events.process-*

False Positives

Authorized IT administrators running net.exe or PowerShell scripts to provision domain accounts for new employees during onboarding workflows
Identity governance platforms (SailPoint, Saviynt, Okta AD sync, Azure AD Connect) performing automated account lifecycle management that creates or modifies AD group memberships
Help desk staff using approved ticketed procedures to add users to Domain Admins or Administrators groups for temporary elevated access during incident response

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  "EventID",
  "TargetUserName",
  "SubjectUserName",
  "SubjectDomainName",
  "TargetDomainName",
  "MemberName",
  "CommandLine",
  "Image" AS ProcessImage,
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "EventID" = '4720' THEN 'DomainAccountCreated'
    WHEN "EventID" = '4728' THEN 'PrivilegedGroupMemberAdded'
    WHEN "EventID" = '4741' THEN 'ComputerAccountCreated'
    WHEN "EventID" = '1'   THEN 'ProcessCmdLine_ADCreation'
    ELSE 'Unknown'
  END AS DetectionBranch,
  CASE
    WHEN "EventID" = '4728' AND LOWER("TargetUserName") IN ('domain admins','enterprise admins','schema admins') THEN 3
    WHEN "EventID" = '4720' THEN 2
    ELSE 1
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 13, 14)
AND (
  -- Branch 1: Domain account created, excluding local WORKGROUP accounts
  ("EventID" = '4720'
    AND "TargetDomainName" <> 'WORKGROUP'
    AND "TargetDomainName" <> '')
  OR
  -- Branch 2: Member added to privileged global security group
  ("EventID" = '4728'
    AND LOWER("TargetUserName") IN (
      'domain admins', 'enterprise admins', 'schema admins',
      'group policy creator owners', 'administrators'
    ))
  OR
  -- Branch 3: Computer account created
  "EventID" = '4741'
  OR
  -- Branch 4: Sysmon or 4688 process-based detection — net.exe, dsadd.exe, PowerShell AD cmdlets
  ("EventID" IN ('1', '4688')
    AND (
      (LOWER("Image") LIKE '%\\net.exe'
        OR LOWER("Image") LIKE '%\\net1.exe'
        OR LOWER("Image") LIKE '%\\dsadd.exe')
      AND (LOWER("CommandLine") LIKE '%/add%'
        AND LOWER("CommandLine") LIKE '%/domain%')
    OR LOWER("CommandLine") LIKE '%dsadd user%'
    OR (
      (LOWER("Image") LIKE '%powershell.exe'
        OR LOWER("Image") LIKE '%pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-aduser%'
        OR LOWER("CommandLine") LIKE '%add-adgroupmember%'
        OR LOWER("CommandLine") LIKE '%new-adaccount%')
      AND (LOWER("CommandLine") LIKE '%domain admins%'
        OR LOWER("CommandLine") LIKE '%enterprise admins%'
        OR LOWER("CommandLine") LIKE '%schema admins%'
        OR LOWER("CommandLine") LIKE '%-accountpassword%')
    ))
  )
)
ORDER BY SuspicionScore DESC, devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Security Event Log DSM (LOGSOURCETYPEID 12) Microsoft Windows Sysmon DSM (LOGSOURCETYPEID 14) Windows Event Collector

Required Tables

events

False Positives

Authorized system administrators creating domain service accounts for new application deployments using net.exe or PowerShell in documented change windows
Identity and Access Management (IAM) platforms such as CyberArk, BeyondTrust, or SolarWinds ARM performing automated group membership changes as part of role provisioning
Active Directory migration projects using dsadd.exe or bulk PowerShell scripts to recreate accounts during domain restructuring or forest trust migrations

Sumo Logic CSE

sql

(_sourceCategory=*windows*security* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| parse regex "(?:EventCode|EventID)[=:\s]+(?<EventCode>\d+)" nodrop
| parse "TargetUserName=*\n" as TargetUserName nodrop
| parse "SubjectUserName=*\n" as SubjectUserName nodrop
| parse "SubjectDomainName=*\n" as SubjectDomainName nodrop
| parse "TargetDomainName=*\n" as TargetDomainName nodrop
| parse "MemberName=*\n" as MemberName nodrop
| parse "CommandLine=*\n" as CommandLine nodrop
| parse "Image=*\n" as ProcessImage nodrop
| parse "ParentImage=*\n" as ParentImage nodrop
| where EventCode in ("4720", "4728", "4741", "1", "4688")
| where (
    // Branch 1: Domain account created — filter out local WORKGROUP accounts
    (EventCode == "4720"
      AND !isNull(TargetDomainName)
      AND TargetDomainName != "WORKGROUP"
      AND TargetDomainName != "")
    OR
    // Branch 2: Privileged global group membership change
    (EventCode == "4728"
      AND matches(TargetUserName, "(?i)(domain admins|enterprise admins|schema admins|group policy creator owners|administrators)"))
    OR
    // Branch 3: Computer account created
    EventCode == "4741"
    OR
    // Branch 4: net.exe / dsadd.exe domain account creation via command line
    (EventCode in ("1", "4688")
      AND (
        (matches(ProcessImage, "(?i)(\\\\net\.exe|\\\\net1\.exe|\\\\dsadd\.exe)")
          AND matches(CommandLine, "(?i)(/add.*/domain|/domain.*/add|dsadd\\s+user)"))
        OR
        (matches(ProcessImage, "(?i)(powershell\.exe|pwsh\.exe)")
          AND matches(CommandLine, "(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)")
          AND matches(CommandLine, "(?i)(Domain Admins|Enterprise Admins|Schema Admins|Administrators|-AccountPassword|-Enabled\\s*\\$true)"))
      ))
  )
| eval DetectionBranch = if(EventCode == "4720", "DomainAccountCreated",
    if(EventCode == "4728", "PrivilegedGroupMembership",
    if(EventCode == "4741", "ComputerAccountCreated",
    if(matches(CommandLine, "(?i)(New-ADUser|Add-ADGroupMember)"), "PowerShell_ADCmdlet",
    "ProcessCmdLine_NetAddDomain"))))
| eval SuspicionScore = if(EventCode == "4728" AND matches(TargetUserName, "(?i)(domain admins|enterprise admins|schema admins)"), 3,
    if(EventCode == "4720" AND matches(SubjectUserName, "(?i)(admin|svc|service|system)"), 2,
    if(EventCode == "4720", 1,
    if(EventCode in ("1", "4688"), 2, 1))))
| table _time, _sourceHost, EventCode, DetectionBranch, TargetUserName, SubjectUserName, SubjectDomainName, TargetDomainName, MemberName, CommandLine, ProcessImage, ParentImage, SuspicionScore
| sort by SuspicionScore desc, _time desc

high severity high confidence

Data Sources

Windows Security Event Logs (Sumo Logic Windows source) Sysmon operational logs Windows Event Collector forwarded logs

Required Tables

_sourceCategory=*windows*security* _sourceCategory=*sysmon*

False Positives

IT provisioning runbooks executed by administrators using net.exe or PowerShell to create service accounts for newly deployed applications or services
Directory synchronization agents (Azure AD Connect, Okta AD agent) creating or updating accounts and group memberships as part of hybrid identity synchronization cycles
Privileged Access Management (PAM) tools dynamically adding accounts to privileged groups for just-in-time access sessions, then removing them after session expiry

Google Chronicle / SecOps

yaral

rule T1136_002_domain_account_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects domain account creation and privileged AD group membership additions consistent with T1136.002. Covers Windows Security Events 4720/4728 and process-based creation via net.exe, dsadd.exe, and PowerShell AD cmdlets."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1136.002"
    mitre_attack_technique_name = "Create Account: Domain Account"
    reference = "https://attack.mitre.org/techniques/T1136/002/"
    false_positives = "Authorized IT provisioning, IAM platform automation, AD migration tooling"
    version = "1.0"

  events:
    (
      // Branch 1: Domain account created — Security Event 4720
      (
        $e.metadata.event_type = "USER_CREATION" and
        $e.metadata.product_event_type = "4720" and
        not re.regex($e.target.administrative_domain, `(?i)^WORKGROUP$`) and
        $e.target.administrative_domain != ""
      )
      or
      // Branch 2: Member added to privileged global security group — Security Event 4728
      (
        $e.metadata.event_type = "GROUP_MODIFICATION" and
        $e.metadata.product_event_type = "4728" and
        re.regex($e.target.group.group_display_name,
          `(?i)(domain\s+admins|enterprise\s+admins|schema\s+admins|group\s+policy\s+creator\s+owners|^administrators$)`)
      )
      or
      // Branch 3: net.exe / net1.exe / dsadd.exe with /add /domain flags
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(\\net\.exe$|\\net1\.exe$|\\dsadd\.exe$)`) and
        (
          re.regex($e.target.process.command_line, `(?i)/add`) and
          re.regex($e.target.process.command_line, `(?i)/domain`)
        ) or
        re.regex($e.target.process.command_line, `(?i)dsadd\s+user`)
      )
      or
      // Branch 4: PowerShell New-ADUser or Add-ADGroupMember targeting privileged groups
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(\\powershell\.exe$|\\pwsh\.exe$)`) and
        re.regex($e.target.process.command_line,
          `(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)`) and
        re.regex($e.target.process.command_line,
          `(?i)(Domain\s+Admins|Enterprise\s+Admins|Schema\s+Admins|Administrators|-AccountPassword|-Enabled\s+\$true)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs ingested via Chronicle forwarder Endpoint telemetry via Chronicle Endpoint Detection

Required Tables

USER_CREATION UDM events GROUP_MODIFICATION UDM events PROCESS_LAUNCH UDM events

False Positives

Authorized identity lifecycle management platforms (SailPoint IdentityIQ, Saviynt, Omada) performing automated AD account provisioning through approved integration workflows
System administrators executing net.exe or PowerShell AD scripts in documented change management windows for routine account provisioning
Active Directory migration or consolidation projects using dsadd.exe or bulk PowerShell cmdlets to recreate accounts during forest restructuring

CrowdStrike LogScale (CQL)

cql

// Branch 3–4: Process-based detection via Falcon EDR telemetry
#event_simpleName = ProcessRollup2
| FileName = /(?i)^(net|net1|dsadd|powershell|pwsh)\.exe$/
| case {
    FileName = /(?i)^(net|net1|dsadd)\.exe$/ AND CommandLine = /(?i)((\/add.*\/domain|\/domain.*\/add)|dsadd\s+user)/
      | DetectionBranch := "ProcessCmdLine_NetAddDomain" | SuspicionScore := 2 ;
    FileName = /(?i)^(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)/ AND CommandLine = /(?i)(Domain Admins|Enterprise Admins|Schema Admins|Administrators|-AccountPassword|-Enabled)/
      | DetectionBranch := "PowerShell_ADCmdlet" | SuspicionScore := 3 ;
    * | drop
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])

union

// Branch 1–2: Audit event-based detection via Falcon Identity Protection or Windows event forwarding
#event_simpleName = UserAccountCreated
| UserIsAdmin = /0|false/i OR UserIsAdmin = *
| DomainName != "WORKGROUP" AND DomainName != ""
| DetectionBranch := "DomainAccountCreated"
| SuspicionScore := 2
| table([timestamp, ComputerName, UserName, DomainName, SubjectUserName, DetectionBranch, SuspicionScore])

union

#event_simpleName = UserAccountAddedToGroup
| GroupName = /(?i)(Domain Admins|Enterprise Admins|Schema Admins|Group Policy Creator Owners|^Administrators$)/
| DetectionBranch := "PrivilegedGroupMembership"
| SuspicionScore := 3
| table([timestamp, ComputerName, UserName, GroupName, SubjectUserName, DetectionBranch, SuspicionScore])

| sort(SuspicionScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR (Falcon Insight) CrowdStrike Falcon Identity Protection CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2 UserAccountCreated UserAccountAddedToGroup

False Positives

Endpoint management tooling (SCCM, Tanium, Ansible) invoking net.exe as part of automated device provisioning or configuration management tasks
IT administrators executing approved PowerShell runbooks to manage AD group memberships during quarterly access reviews or role-based access control audits
Automated identity provisioning integrations triggered by HR system events (new hire, role change) that call AD cmdlets to create accounts and assign group memberships

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections