T1136.002 IBM QRadar · QRadar

Detect Domain Account in IBM QRadar

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Sub-technique
T1136.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1136/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  "EventID",
  "TargetUserName",
  "SubjectUserName",
  "SubjectDomainName",
  "TargetDomainName",
  "MemberName",
  "CommandLine",
  "Image" AS ProcessImage,
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "EventID" = '4720' THEN 'DomainAccountCreated'
    WHEN "EventID" = '4728' THEN 'PrivilegedGroupMemberAdded'
    WHEN "EventID" = '4741' THEN 'ComputerAccountCreated'
    WHEN "EventID" = '1'   THEN 'ProcessCmdLine_ADCreation'
    ELSE 'Unknown'
  END AS DetectionBranch,
  CASE
    WHEN "EventID" = '4728' AND LOWER("TargetUserName") IN ('domain admins','enterprise admins','schema admins') THEN 3
    WHEN "EventID" = '4720' THEN 2
    ELSE 1
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 13, 14)
AND (
  -- Branch 1: Domain account created, excluding local WORKGROUP accounts
  ("EventID" = '4720'
    AND "TargetDomainName" <> 'WORKGROUP'
    AND "TargetDomainName" <> '')
  OR
  -- Branch 2: Member added to privileged global security group
  ("EventID" = '4728'
    AND LOWER("TargetUserName") IN (
      'domain admins', 'enterprise admins', 'schema admins',
      'group policy creator owners', 'administrators'
    ))
  OR
  -- Branch 3: Computer account created
  "EventID" = '4741'
  OR
  -- Branch 4: Sysmon or 4688 process-based detection — net.exe, dsadd.exe, PowerShell AD cmdlets
  ("EventID" IN ('1', '4688')
    AND (
      (LOWER("Image") LIKE '%\\net.exe'
        OR LOWER("Image") LIKE '%\\net1.exe'
        OR LOWER("Image") LIKE '%\\dsadd.exe')
      AND (LOWER("CommandLine") LIKE '%/add%'
        AND LOWER("CommandLine") LIKE '%/domain%')
    OR LOWER("CommandLine") LIKE '%dsadd user%'
    OR (
      (LOWER("Image") LIKE '%powershell.exe'
        OR LOWER("Image") LIKE '%pwsh.exe')
      AND (LOWER("CommandLine") LIKE '%new-aduser%'
        OR LOWER("CommandLine") LIKE '%add-adgroupmember%'
        OR LOWER("CommandLine") LIKE '%new-adaccount%')
      AND (LOWER("CommandLine") LIKE '%domain admins%'
        OR LOWER("CommandLine") LIKE '%enterprise admins%'
        OR LOWER("CommandLine") LIKE '%schema admins%'
        OR LOWER("CommandLine") LIKE '%-accountpassword%')
    ))
  )
)
ORDER BY SuspicionScore DESC, devicetime DESC
LAST 24 HOURS
high severity high confidence

Detects domain account creation and privileged Active Directory group membership changes using Windows Security Events 4720, 4728, 4741, and process-level events (Sysmon EventID 1 or Security EventID 4688) for net.exe, dsadd.exe, and PowerShell AD cmdlets. Assigns suspicion scoring based on target group sensitivity.

Data Sources

Microsoft Windows Security Event Log DSM (LOGSOURCETYPEID 12)Microsoft Windows Sysmon DSM (LOGSOURCETYPEID 14)Windows Event Collector

Required Tables

events

False Positives & Tuning

  • Authorized system administrators creating domain service accounts for new application deployments using net.exe or PowerShell in documented change windows
  • Identity and Access Management (IAM) platforms such as CyberArk, BeyondTrust, or SolarWinds ARM performing automated group membership changes as part of role provisioning
  • Active Directory migration projects using dsadd.exe or bulk PowerShell scripts to recreate accounts during domain restructuring or forest trust migrations
Download portable Sigma rule (.yml)

Other platforms for T1136.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Domain Account via Net User

    Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.

  2. Test 2Create Domain Account and Add to Domain Admins via PowerShell

    Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.

  3. Test 3Create Domain Account via dsadd

    Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.

  4. Test 4Simulate Adversary Account Naming with Empire-style Pattern

    Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1136Create Account

Related Sub-techniques

T1136.001Local AccountT1136.003Cloud Account

Related Techniques

T1136Create AccountT1136.001Local AccountT1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1087.002Domain AccountT1069.002Domain GroupsT1003.003NTDST1484.001Group Policy ModificationT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections