Detect Create Account in CrowdStrike LogScale
Adversaries may create an account to maintain access to victim systems. With sufficient privilege, creating accounts establishes secondary credentialed access that does not require persistent remote access tools. Accounts may be created on local systems, within a domain, or in cloud tenants. Threat actors including Indrik Spider (WastedLocker), LockBit 2.0, Scattered Spider, and Salt Typhoon have all used account creation as a persistence mechanism. In cloud environments, attackers may create accounts with access limited to specific services to reduce detection likelihood.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/
LogScale Detection Query
// T1136 — Create Account: CrowdStrike LogScale (Falcon)
// Branch 1: Account creation via process events
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(net|net1|wmic|powershell|pwsh|useradd|adduser)\.exe$/
| CommandLine = /(?i)(user.*\/add|useraccount.*create|New-LocalUser|net user.*\/add)/
OR FileName = /(?i)^(useradd|adduser)$/
| eval OffHours = if(hour(timestamp) < 7 OR hour(timestamp) > 19, true, false)
| eval SuspiciousParent = ParentBaseFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32)\.exe$/
| eval RiskScore = (if(OffHours, 1, 0) + if(SuspiciousParent, 1, 0))
| table([
@timestamp,
ComputerName,
UserName,
FileName,
CommandLine,
ParentBaseFileName,
OffHours,
SuspiciousParent,
RiskScore
])
| sort(field=@timestamp, order=desc)
// Branch 2: UserAccountAdded event (Falcon identity telemetry)
// Uncomment if UserAccountAdded events are available in your Falcon data tier:
// #event_simpleName = "UserAccountAdded"
// | eval OffHours = if(hour(timestamp) < 7 OR hour(timestamp) > 19, true, false)
// | table([@timestamp, ComputerName, UserName, NewUserName, OffHours])
// | sort(field=@timestamp, order=desc)CrowdStrike LogScale (CQL) query detecting account creation via Falcon ProcessRollup2 events, targeting net.exe, net1.exe, wmic, PowerShell (New-LocalUser), and Linux useradd/adduser. Risk scores off-hours activity and suspicious parent processes. Optional branch for UserAccountAdded identity telemetry if available.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators or scripts using net.exe to provision accounts during business hours
- Endpoint provisioning systems running PowerShell-based account creation as part of imaging pipelines
- Security or monitoring tools spawning child processes that invoke account management utilities
Other platforms for T1136
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Local User Account via net.exe
Expected signal: Security Event 4720: 'A user account was created' with TargetUserName=df00tech-testacct, SubjectUserName=<running user>. Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine='net user df00tech-testacct P@ssw0rd123! /add'. Security Event 4722 (account enabled) may follow immediately.
- Test 2Create Local User via WMIC (Indrik Spider TTP)
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'useraccount'. Followed by net.exe process create. Security Event 4720 generated by the net user /add call. Parent process chain visible in Sysmon logs.
- Test 3Create Local User via PowerShell New-LocalUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-LocalUser'. Security Event 4720: new account df00tech-pstest created, SubjectUserName shows running user. PowerShell ScriptBlock Log Event ID 4104 will show the full New-LocalUser command with parameters.
- Test 4Linux Account Creation via useradd
Expected signal: Syslog / /var/log/auth.log: 'useradd: new user: name=df00tech-linuxtest, UID=<uid>, GID=<gid>'. If auditd is configured with -a always,exit -F arch=b64 -S execve rules: audit log entry for useradd execution with full command line. If Sysmon for Linux is deployed: process creation event for useradd.
References (9)
- https://attack.mitre.org/techniques/T1136/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.cisco.com/c/en/us/td/docs/security/salt-typhoon-advisory.html
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-account-management
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security
Unlock Pro Content
Get the full detection package for T1136 including response playbook, investigation guide, and atomic red team tests.