Detect Domain Account in Elastic Security
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Sub-technique
- T1136.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/002/
Elastic Detection Query
any where
(
// Branch 1: Security Event 4720 — Domain account created on Domain Controller
(
event.code == "4720" and
winlog.event_data.TargetDomainName != null and
winlog.event_data.TargetDomainName != "WORKGROUP" and
winlog.event_data.TargetDomainName != ""
)
or
// Branch 2: Security Event 4728 — Member added to privileged global security group
(
event.code == "4728" and
winlog.event_data.TargetUserName in~ (
"Domain Admins", "Enterprise Admins", "Schema Admins",
"Group Policy Creator Owners", "Administrators"
)
)
or
// Branch 3: net.exe / net1.exe / dsadd.exe creating domain accounts via command line
(
event.category == "process" and event.type == "start" and
process.name in~ ("net.exe", "net1.exe", "dsadd.exe") and
(
(process.command_line like~ "*/add*" and process.command_line like~ "*/domain*") or
process.command_line like~ "*dsadd user*"
)
)
or
// Branch 4: PowerShell AD cmdlets creating or adding accounts to privileged groups
(
event.category == "process" and event.type == "start" and
process.name in~ ("powershell.exe", "pwsh.exe") and
process.command_line like~ ("*New-ADUser*", "*Add-ADGroupMember*", "*New-ADAccount*") and
process.command_line like~ (
"*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*",
"*Administrators*", "*-AccountPassword*", "*-Enabled $true*"
)
)
)Detects domain account creation and privileged group membership changes consistent with T1136.002. Covers Windows Security Event 4720 (account created on domain), Event 4728 (member added to privileged global group), and process-based detection via net.exe, dsadd.exe, and PowerShell New-ADUser/Add-ADGroupMember cmdlets targeting sensitive Active Directory groups.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT administrators running net.exe or PowerShell scripts to provision domain accounts for new employees during onboarding workflows
- Identity governance platforms (SailPoint, Saviynt, Okta AD sync, Azure AD Connect) performing automated account lifecycle management that creates or modifies AD group memberships
- Help desk staff using approved ticketed procedures to add users to Domain Admins or Administrators groups for temporary elevated access during incident response
Other platforms for T1136.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Domain Account via Net User
Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.
- Test 2Create Domain Account and Add to Domain Admins via PowerShell
Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.
- Test 3Create Domain Account via dsadd
Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.
- Test 4Simulate Adversary Account Naming with Empire-style Pattern
Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.
References (10)
- https://attack.mitre.org/techniques/T1136/002/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
- https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference
- https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
- https://www.microsoft.com/en-us/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-redefining-speed
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-058a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-aduser
Unlock Pro Content
Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.