Detect Domain Account in Microsoft Sentinel
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Sub-technique
- T1136.002 Domain Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/002/
KQL Detection Query
// Branch 1: Security Event 4720 — Domain account created (logged on Domain Controllers)
let Branch1 = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| where TargetDomainName != "WORKGROUP" and TargetDomainName != ""
| extend CreatedAccount = TargetUserName
| extend CreatingAccount = SubjectUserName
| extend CreatingDomain = SubjectDomainName
| extend AccountDomain = TargetDomainName
| project TimeGenerated, Computer, EventID, CreatedAccount, AccountDomain, CreatingAccount, CreatingDomain, Activity
| extend DetectionBranch = "SecurityEvent_4720";
// Branch 2: Security Event 4728 — Member added to security-enabled global group (e.g. Domain Admins)
let Branch2 = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4728
| where TargetUserName in~ ("Domain Admins", "Enterprise Admins", "Schema Admins", "Group Policy Creator Owners", "Administrators")
| extend AddedAccount = MemberName
| extend AddingAccount = SubjectUserName
| extend PrivilegedGroup = TargetUserName
| project TimeGenerated, Computer, EventID, AddedAccount, PrivilegedGroup, AddingAccount, Activity
| extend DetectionBranch = "SecurityEvent_4728_PrivGroup";
// Branch 3: Process-based detection — net.exe or dsadd.exe creating domain accounts
let Branch3 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe", "dsadd.exe")
| where ProcessCommandLine has_any ("/add", "/domain", "user")
| where (ProcessCommandLine has "/domain" and ProcessCommandLine has "/add")
or ProcessCommandLine has "dsadd user"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionBranch = "ProcessCmdLine_NetAddDomain";
// Branch 4: PowerShell New-ADUser or Add-ADGroupMember for privileged groups
let Branch4 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("New-ADUser", "Add-ADGroupMember", "New-ADAccount")
| where ProcessCommandLine has_any ("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "-AccountPassword", "-Enabled $true")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionBranch = "PowerShell_NewADUser";
Branch1
| union (Branch2 | project TimeGenerated, Computer, DetectionBranch, tostring(AddedAccount), tostring(AddingAccount), tostring(PrivilegedGroup))
| union (Branch3 | project TimeGenerated=Timestamp, Computer=DeviceName, DetectionBranch, ProcessCommandLine, InitiatingProcessFileName)
| union (Branch4 | project TimeGenerated=Timestamp, Computer=DeviceName, DetectionBranch, ProcessCommandLine, InitiatingProcessFileName)
| sort by TimeGenerated descFour-branch detection for domain account creation. Branch 1 monitors Security Event 4720 (user account created) on Domain Controllers, filtered to non-workgroup domains to target AD account creation. Branch 2 monitors Security Event 4728 for new members added to high-privilege groups (Domain Admins, Enterprise Admins, Schema Admins). Branch 3 detects net.exe or net1.exe with /add /domain flags and dsadd.exe usage via DeviceProcessEvents. Branch 4 detects PowerShell New-ADUser and Add-ADGroupMember cmdlets targeting privileged groups. Together these branches provide coverage across command-line, scripting, and AD event log vectors.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk and IT provisioning teams creating user accounts during onboarding workflows — especially common during business hours from known provisioning systems
- Automated identity provisioning systems (Okta, SailPoint, Microsoft Identity Manager) that create AD accounts via scripted processes using net.exe or LDAP
- Domain controller promotion and demotion processes that create service and machine accounts during infrastructure maintenance
- Test account creation in dev/staging domains during application testing or DR exercises
- Software installation routines that create domain service accounts (SQL Server, Exchange, SharePoint setup)
Other platforms for T1136.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Domain Account via Net User
Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.
- Test 2Create Domain Account and Add to Domain Admins via PowerShell
Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.
- Test 3Create Domain Account via dsadd
Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.
- Test 4Simulate Adversary Account Naming with Empire-style Pattern
Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.
References (10)
- https://attack.mitre.org/techniques/T1136/002/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
- https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference
- https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
- https://www.microsoft.com/en-us/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-redefining-speed
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-058a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-aduser
Unlock Pro Content
Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.