Which SIEM platforms have a T1136.002 detection rule?

df00tech provides T1136.002 (Domain Account) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Domain Account (T1136.002)?

Detecting Domain Account requires the following data sources: User Account: User Account Creation, Active Directory: Active Directory Object Creation, Process: Process Creation, Command: Command Execution, Windows Security Event Log, Microsoft Defender for Endpoint.

What severity and confidence is the T1136.002 detection?

The T1136.002 detection is rated high severity with high confidence.

What are common false positives for T1136.002?

Common false positives for T1136.002 include: Helpdesk and IT provisioning teams creating user accounts during onboarding workflows — especially common during business hours from known provisioning systems; Automated identity provisioning systems (Okta, SailPoint, Microsoft Identity Manager) that create AD accounts via scripted processes using net.exe or LDAP; Domain controller promotion and demotion processes that create service and machine accounts during infrastructure maintenance.

T1136.002 CrowdStrike LogScale · LogScale

Detect Domain Account in CrowdStrike LogScale

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

MITRE ATT&CK

Tactic: Persistence
Technique: T1136 Create Account
Sub-technique: T1136.002 Domain Account
Canonical reference: https://attack.mitre.org/techniques/T1136/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// Branch 3–4: Process-based detection via Falcon EDR telemetry
#event_simpleName = ProcessRollup2
| FileName = /(?i)^(net|net1|dsadd|powershell|pwsh)\.exe$/
| case {
    FileName = /(?i)^(net|net1|dsadd)\.exe$/ AND CommandLine = /(?i)((\/add.*\/domain|\/domain.*\/add)|dsadd\s+user)/
      | DetectionBranch := "ProcessCmdLine_NetAddDomain" | SuspicionScore := 2 ;
    FileName = /(?i)^(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)/ AND CommandLine = /(?i)(Domain Admins|Enterprise Admins|Schema Admins|Administrators|-AccountPassword|-Enabled)/
      | DetectionBranch := "PowerShell_ADCmdlet" | SuspicionScore := 3 ;
    * | drop
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])

union

// Branch 1–2: Audit event-based detection via Falcon Identity Protection or Windows event forwarding
#event_simpleName = UserAccountCreated
| UserIsAdmin = /0|false/i OR UserIsAdmin = *
| DomainName != "WORKGROUP" AND DomainName != ""
| DetectionBranch := "DomainAccountCreated"
| SuspicionScore := 2
| table([timestamp, ComputerName, UserName, DomainName, SubjectUserName, DetectionBranch, SuspicionScore])

union

#event_simpleName = UserAccountAddedToGroup
| GroupName = /(?i)(Domain Admins|Enterprise Admins|Schema Admins|Group Policy Creator Owners|^Administrators$)/
| DetectionBranch := "PrivilegedGroupMembership"
| SuspicionScore := 3
| table([timestamp, ComputerName, UserName, GroupName, SubjectUserName, DetectionBranch, SuspicionScore])

| sort(SuspicionScore, order=desc)

high severity medium confidence

Detects domain account creation and privileged group membership additions using CrowdStrike Falcon EDR telemetry. ProcessRollup2 events detect net.exe, dsadd.exe, and PowerShell AD cmdlet execution with domain account creation patterns. UserAccountCreated and UserAccountAddedToGroup events from Falcon Identity Protection cover audit-trail equivalent detection for Security Events 4720 and 4728. Results are scored by suspicion level.

Data Sources

CrowdStrike Falcon EDR (Falcon Insight)CrowdStrike Falcon Identity ProtectionCrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2UserAccountCreatedUserAccountAddedToGroup

False Positives & Tuning

Endpoint management tooling (SCCM, Tanium, Ansible) invoking net.exe as part of automated device provisioning or configuration management tasks
IT administrators executing approved PowerShell runbooks to manage AD group memberships during quarterly access reviews or role-based access control audits
Automated identity provisioning integrations triggered by HR system events (new hire, role change) that call AD cmdlets to create accounts and assign group memberships

Download portable Sigma rule (.yml)

Other platforms for T1136.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Create Domain Account via Net User
Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.
Test 2Create Domain Account and Add to Domain Admins via PowerShell
Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.
Test 3Create Domain Account via dsadd
Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.
Test 4Simulate Adversary Account Naming with Empire-style Pattern
Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Domain Account in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1136.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1136.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox