T1136.002 Google Chronicle · YARA-L

Detect Domain Account in Google Chronicle

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Sub-technique
T1136.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1136/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1136_002_domain_account_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects domain account creation and privileged AD group membership additions consistent with T1136.002. Covers Windows Security Events 4720/4728 and process-based creation via net.exe, dsadd.exe, and PowerShell AD cmdlets."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1136.002"
    mitre_attack_technique_name = "Create Account: Domain Account"
    reference = "https://attack.mitre.org/techniques/T1136/002/"
    false_positives = "Authorized IT provisioning, IAM platform automation, AD migration tooling"
    version = "1.0"

  events:
    (
      // Branch 1: Domain account created — Security Event 4720
      (
        $e.metadata.event_type = "USER_CREATION" and
        $e.metadata.product_event_type = "4720" and
        not re.regex($e.target.administrative_domain, `(?i)^WORKGROUP$`) and
        $e.target.administrative_domain != ""
      )
      or
      // Branch 2: Member added to privileged global security group — Security Event 4728
      (
        $e.metadata.event_type = "GROUP_MODIFICATION" and
        $e.metadata.product_event_type = "4728" and
        re.regex($e.target.group.group_display_name,
          `(?i)(domain\s+admins|enterprise\s+admins|schema\s+admins|group\s+policy\s+creator\s+owners|^administrators$)`)
      )
      or
      // Branch 3: net.exe / net1.exe / dsadd.exe with /add /domain flags
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(\\net\.exe$|\\net1\.exe$|\\dsadd\.exe$)`) and
        (
          re.regex($e.target.process.command_line, `(?i)/add`) and
          re.regex($e.target.process.command_line, `(?i)/domain`)
        ) or
        re.regex($e.target.process.command_line, `(?i)dsadd\s+user`)
      )
      or
      // Branch 4: PowerShell New-ADUser or Add-ADGroupMember targeting privileged groups
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(\\powershell\.exe$|\\pwsh\.exe$)`) and
        re.regex($e.target.process.command_line,
          `(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)`) and
        re.regex($e.target.process.command_line,
          `(?i)(Domain\s+Admins|Enterprise\s+Admins|Schema\s+Admins|Administrators|-AccountPassword|-Enabled\s+\$true)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Detects domain account creation and privileged Active Directory group membership additions across four behavioral branches: Security Event 4720 (domain account created), Security Event 4728 (privileged group member added), process execution of net.exe/dsadd.exe with domain creation flags, and PowerShell New-ADUser or Add-ADGroupMember cmdlets targeting Domain Admins, Enterprise Admins, or Schema Admins groups.

Data Sources

Google Chronicle SIEMWindows Event Logs ingested via Chronicle forwarderEndpoint telemetry via Chronicle Endpoint Detection

Required Tables

USER_CREATION UDM eventsGROUP_MODIFICATION UDM eventsPROCESS_LAUNCH UDM events

False Positives & Tuning

  • Authorized identity lifecycle management platforms (SailPoint IdentityIQ, Saviynt, Omada) performing automated AD account provisioning through approved integration workflows
  • System administrators executing net.exe or PowerShell AD scripts in documented change management windows for routine account provisioning
  • Active Directory migration or consolidation projects using dsadd.exe or bulk PowerShell cmdlets to recreate accounts during forest restructuring
Download portable Sigma rule (.yml)

Other platforms for T1136.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Domain Account via Net User

    Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.

  2. Test 2Create Domain Account and Add to Domain Admins via PowerShell

    Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.

  3. Test 3Create Domain Account via dsadd

    Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.

  4. Test 4Simulate Adversary Account Naming with Empire-style Pattern

    Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1136Create Account

Related Sub-techniques

T1136.001Local AccountT1136.003Cloud Account

Related Techniques

T1136Create AccountT1136.001Local AccountT1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1087.002Domain AccountT1069.002Domain GroupsT1003.003NTDST1484.001Group Policy ModificationT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections