T1136.002 Splunk · SPL

Detect Domain Account in Splunk

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Sub-technique
T1136.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1136/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
  (EventCode=4720 OR EventCode=4728 OR EventCode=4741)
| eval DetectionBranch=case(
    EventCode=4720, "DomainAccountCreated",
    EventCode=4728, "MemberAddedToGlobalGroup",
    EventCode=4741, "ComputerAccountCreated",
    true(), "Unknown"
  )
| eval CreatedAccount=coalesce(TargetUserName, MemberName)
| eval ActingAccount=SubjectUserName
| eval ActingDomain=SubjectDomainName
| eval TargetGroup=if(EventCode=4728, TargetUserName, null())
| eval IsPrivilegedGroup=if(match(TargetGroup, "(?i)(domain admins|enterprise admins|schema admins|group policy creator owners|administrators)"), 1, 0)
| eval SuspicionScore=case(
    EventCode=4720 AND match(ActingAccount, "(?i)(admin|svc|service|system)"), 2,
    EventCode=4720, 1,
    EventCode=4728 AND IsPrivilegedGroup=1, 3,
    EventCode=4728, 1,
    EventCode=4741, 1,
    true(), 0
  )
| where SuspicionScore > 0
| table _time, host, EventCode, DetectionBranch, CreatedAccount, ActingAccount, ActingDomain, TargetGroup, IsPrivilegedGroup, SuspicionScore
| sort - SuspicionScore, - _time

```
| appendcols
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
     (CommandLine="*net user*" AND CommandLine="*/add*" AND CommandLine="*/domain*")
     OR (CommandLine="*dsadd user*")
     OR (CommandLine="*New-ADUser*")
     OR (CommandLine="*Add-ADGroupMember*" AND (CommandLine="*Domain Admins*" OR CommandLine="*Enterprise Admins*"))
    | eval DetectionBranch="ProcessCmdLine_ADUser"
    | eval SuspicionScore=2
    | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, SuspicionScore]
```
high severity high confidence

Detects domain account creation and privilege escalation via Windows Security Event log. EventCode 4720 captures new user account creation, 4728 captures members added to security-enabled global groups (with scoring boost for privileged groups like Domain Admins), and 4741 captures computer account creation. Suspicion scoring prioritizes: new accounts created by service/admin accounts (potential automated attacker tooling), and additions to highly privileged groups. A companion process-based search covers net.exe /add /domain, dsadd.exe, and PowerShell AD cmdlets via Sysmon Event ID 1.

Data Sources

User Account: User Account CreationActive Directory: Active Directory Object CreationProcess: Process CreationWindows Security Event LogSysmon Event ID 1

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Helpdesk and IT provisioning teams creating user accounts during onboarding workflows
  • Automated identity provisioning tools (Okta, SailPoint, Microsoft Identity Manager) running as service accounts
  • Domain controller infrastructure operations creating machine or service accounts
  • Software setup routines for enterprise applications (SQL Server, Exchange) that create domain service accounts
  • Security red team exercises or authorized penetration tests in production domains
Download portable Sigma rule (.yml)

Other platforms for T1136.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Domain Account via Net User

    Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.

  2. Test 2Create Domain Account and Add to Domain Admins via PowerShell

    Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.

  3. Test 3Create Domain Account via dsadd

    Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.

  4. Test 4Simulate Adversary Account Naming with Empire-style Pattern

    Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1136Create Account

Related Sub-techniques

T1136.001Local AccountT1136.003Cloud Account

Related Techniques

T1136Create AccountT1136.001Local AccountT1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1087.002Domain AccountT1069.002Domain GroupsT1003.003NTDST1484.001Group Policy ModificationT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections