T1136.002 Sumo Logic CSE · Sumo

Detect Domain Account in Sumo Logic CSE

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Sub-technique
T1136.002 Domain Account
Canonical reference
https://attack.mitre.org/techniques/T1136/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*security* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| parse regex "(?:EventCode|EventID)[=:\s]+(?<EventCode>\d+)" nodrop
| parse "TargetUserName=*\n" as TargetUserName nodrop
| parse "SubjectUserName=*\n" as SubjectUserName nodrop
| parse "SubjectDomainName=*\n" as SubjectDomainName nodrop
| parse "TargetDomainName=*\n" as TargetDomainName nodrop
| parse "MemberName=*\n" as MemberName nodrop
| parse "CommandLine=*\n" as CommandLine nodrop
| parse "Image=*\n" as ProcessImage nodrop
| parse "ParentImage=*\n" as ParentImage nodrop
| where EventCode in ("4720", "4728", "4741", "1", "4688")
| where (
    // Branch 1: Domain account created — filter out local WORKGROUP accounts
    (EventCode == "4720"
      AND !isNull(TargetDomainName)
      AND TargetDomainName != "WORKGROUP"
      AND TargetDomainName != "")
    OR
    // Branch 2: Privileged global group membership change
    (EventCode == "4728"
      AND matches(TargetUserName, "(?i)(domain admins|enterprise admins|schema admins|group policy creator owners|administrators)"))
    OR
    // Branch 3: Computer account created
    EventCode == "4741"
    OR
    // Branch 4: net.exe / dsadd.exe domain account creation via command line
    (EventCode in ("1", "4688")
      AND (
        (matches(ProcessImage, "(?i)(\\\\net\.exe|\\\\net1\.exe|\\\\dsadd\.exe)")
          AND matches(CommandLine, "(?i)(/add.*/domain|/domain.*/add|dsadd\\s+user)"))
        OR
        (matches(ProcessImage, "(?i)(powershell\.exe|pwsh\.exe)")
          AND matches(CommandLine, "(?i)(New-ADUser|Add-ADGroupMember|New-ADAccount)")
          AND matches(CommandLine, "(?i)(Domain Admins|Enterprise Admins|Schema Admins|Administrators|-AccountPassword|-Enabled\\s*\\$true)"))
      ))
  )
| eval DetectionBranch = if(EventCode == "4720", "DomainAccountCreated",
    if(EventCode == "4728", "PrivilegedGroupMembership",
    if(EventCode == "4741", "ComputerAccountCreated",
    if(matches(CommandLine, "(?i)(New-ADUser|Add-ADGroupMember)"), "PowerShell_ADCmdlet",
    "ProcessCmdLine_NetAddDomain"))))
| eval SuspicionScore = if(EventCode == "4728" AND matches(TargetUserName, "(?i)(domain admins|enterprise admins|schema admins)"), 3,
    if(EventCode == "4720" AND matches(SubjectUserName, "(?i)(admin|svc|service|system)"), 2,
    if(EventCode == "4720", 1,
    if(EventCode in ("1", "4688"), 2, 1))))
| table _time, _sourceHost, EventCode, DetectionBranch, TargetUserName, SubjectUserName, SubjectDomainName, TargetDomainName, MemberName, CommandLine, ProcessImage, ParentImage, SuspicionScore
| sort by SuspicionScore desc, _time desc
high severity high confidence

Detects domain account creation (Event 4720), privileged group membership additions (Event 4728), computer account creation (Event 4741), and process-based domain account creation via net.exe, dsadd.exe, and PowerShell AD cmdlets. Applies risk scoring based on target group sensitivity and actor account naming patterns.

Data Sources

Windows Security Event Logs (Sumo Logic Windows source)Sysmon operational logsWindows Event Collector forwarded logs

Required Tables

_sourceCategory=*windows*security*_sourceCategory=*sysmon*

False Positives & Tuning

  • IT provisioning runbooks executed by administrators using net.exe or PowerShell to create service accounts for newly deployed applications or services
  • Directory synchronization agents (Azure AD Connect, Okta AD agent) creating or updating accounts and group memberships as part of hybrid identity synchronization cycles
  • Privileged Access Management (PAM) tools dynamically adding accounts to privileged groups for just-in-time access sessions, then removing them after session expiry
Download portable Sigma rule (.yml)

Other platforms for T1136.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Domain Account via Net User

    Expected signal: Domain Controller Security Event ID 4720: TargetUserName=df00tech_test_acct, SubjectUserName=<executing account>, TargetDomainName=<domain>. Sysmon Event ID 1 on executing host: Image=C:\Windows\System32\net.exe, CommandLine containing 'user df00tech_test_acct' and '/add /domain'. Security Event 4688 (if command line auditing enabled) on executing host.

  2. Test 2Create Domain Account and Add to Domain Admins via PowerShell

    Expected signal: Domain Controller Security Event 4720: account creation for df00tech_priv_test. Domain Controller Security Event 4728: MemberName=df00tech_priv_test added to TargetUserName=Domain Admins. Sysmon Event 1: powershell.exe with CommandLine containing 'New-ADUser' and 'Add-ADGroupMember'. PowerShell ScriptBlock Log Event 4104 with full command text.

  3. Test 3Create Domain Account via dsadd

    Expected signal: Domain Controller Security Event 4720: TargetUserName=df00tech_dsadd_test. Sysmon Event 1: Image=C:\Windows\System32\dsadd.exe, CommandLine containing 'user CN=df00tech_dsadd_test'. Security Event 4688 on executing host with dsadd.exe process creation.

  4. Test 4Simulate Adversary Account Naming with Empire-style Pattern

    Expected signal: Domain Controller Security Event 4720 with TargetUserName=svc_argus_health$ (note the $ suffix mimicking a machine or service account). Sysmon Event 1: net.exe with /add /domain. Security Event 4688. The account name pattern (svc_ prefix, $ suffix) may not match naming convention baselines and should be noted in triage.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1136.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1136Create Account

Related Sub-techniques

T1136.001Local AccountT1136.003Cloud Account

Related Techniques

T1136Create AccountT1136.001Local AccountT1078.002Domain AccountsT1098.001Additional Cloud CredentialsT1087.002Domain AccountT1069.002Domain GroupsT1003.003NTDST1484.001Group Policy ModificationT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections