T1136 Microsoft Sentinel · KQL

Detect Create Account in Microsoft Sentinel

Adversaries may create an account to maintain access to victim systems. With sufficient privilege, creating accounts establishes secondary credentialed access that does not require persistent remote access tools. Accounts may be created on local systems, within a domain, or in cloud tenants. Threat actors including Indrik Spider (WastedLocker), LockBit 2.0, Scattered Spider, and Salt Typhoon have all used account creation as a persistence mechanism. In cloud environments, attackers may create accounts with access limited to specific services to reduce detection likelihood.

MITRE ATT&CK

Tactic
Persistence
Technique
T1136 Create Account
Canonical reference
https://attack.mitre.org/techniques/T1136/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1136 — Create Account: Multi-platform account creation detection
// Covers: Windows local/domain accounts (Security Event 4720), WMIC-based creation, net.exe, PowerShell cmdlets, Linux useradd, Azure AD
let SuspiciousAccountNames = dynamic(["a", "admin1", "support", "helpdesk", "svc", "test", "user", "guest1", "temp"]);
let SuspiciousParentProcesses = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"]);
// Branch 1: Windows Security Event 4720 (User Account Created)
let WindowsAccountCreation =
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4720
| extend NewAccountName = tostring(TargetUserName)
| extend CreatedBy = tostring(SubjectUserName)
| extend CreatedByDomain = tostring(SubjectDomainName)
| extend TargetDomain = tostring(TargetDomainName)
| extend ShortAccountName = tolower(NewAccountName) in (SuspiciousAccountNames)
| extend IsServiceAccount = NewAccountName startswith "svc-" or NewAccountName startswith "srv-"
| extend OffHours = hourofday(TimeGenerated) < 7 or hourofday(TimeGenerated) > 19
| project TimeGenerated, Computer, EventID, NewAccountName, CreatedBy, CreatedByDomain, TargetDomain,
          ShortAccountName, IsServiceAccount, OffHours,
          Source="Windows-Security-4720";
// Branch 2: Process-based account creation (net user, wmic, PowerShell New-LocalUser)
let ProcessAccountCreation =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "net.exe" or FileName =~ "net1.exe") and ProcessCommandLine has "user" and ProcessCommandLine has "/add"
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "useraccount" and ProcessCommandLine has "create")
    or (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") and (
        ProcessCommandLine has "New-LocalUser" or ProcessCommandLine has "net user" and ProcessCommandLine has "/add"
    )
    or (FileName =~ "useradd" or FileName =~ "adduser")
  )
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParentProcesses)
| extend OffHours = hourofday(Timestamp) < 7 or hourofday(Timestamp) > 19
| project TimeGenerated=Timestamp, Computer=DeviceName, EventID=0, NewAccountName="",
          CreatedBy=AccountName, CreatedByDomain="", TargetDomain="",
          ShortAccountName=false, IsServiceAccount=false, OffHours,
          ProcessCommandLine, InitiatingProcessFileName,
          SuspiciousParent, Source="ProcessCreate";
// Union results and surface high-confidence indicators
WindowsAccountCreation
| extend ProcessCommandLine="", InitiatingProcessFileName="", SuspiciousParent=false
| union ProcessAccountCreation
| extend RiskScore = toint(ShortAccountName) + toint(OffHours) + toint(SuspiciousParent)
| sort by TimeGenerated desc
high severity high confidence

Detects account creation activity across Windows endpoints and Azure AD using two parallel branches. Branch 1 monitors Security Event ID 4720 (user account created) in the SecurityEvent table, flagging short/generic account names, off-hours creation, and unexpected creators. Branch 2 monitors DeviceProcessEvents for process-based account creation via net.exe /add, wmic useraccount create, New-LocalUser PowerShell cmdlets, and Linux useradd/adduser commands. A risk score is computed based on suspicious account name, off-hours activity, and suspicious parent process.

Data Sources

User Account: User Account CreationProcess: Process CreationCommand: Command ExecutionWindows Security Event LogMicrosoft Defender for Endpoint

Required Tables

SecurityEventDeviceProcessEvents

False Positives & Tuning

  • IT provisioning scripts that create service accounts or user accounts during onboarding workflows
  • Software installers that create local service accounts (e.g., backup agents, monitoring tools like Datadog, SolarWinds)
  • Domain join processes that create computer accounts triggering related audit events
  • Automated testing infrastructure that creates and removes ephemeral accounts
  • Password reset or account unlock scripts using net.exe that get flagged on the process branch
Download portable Sigma rule (.yml)

Other platforms for T1136

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Local User Account via net.exe

    Expected signal: Security Event 4720: 'A user account was created' with TargetUserName=df00tech-testacct, SubjectUserName=<running user>. Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine='net user df00tech-testacct P@ssw0rd123! /add'. Security Event 4722 (account enabled) may follow immediately.

  2. Test 2Create Local User via WMIC (Indrik Spider TTP)

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'useraccount'. Followed by net.exe process create. Security Event 4720 generated by the net user /add call. Parent process chain visible in Sysmon logs.

  3. Test 3Create Local User via PowerShell New-LocalUser

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-LocalUser'. Security Event 4720: new account df00tech-pstest created, SubjectUserName shows running user. PowerShell ScriptBlock Log Event ID 4104 will show the full New-LocalUser command with parameters.

  4. Test 4Linux Account Creation via useradd

    Expected signal: Syslog / /var/log/auth.log: 'useradd: new user: name=df00tech-linuxtest, UID=<uid>, GID=<gid>'. If auditd is configured with -a always,exit -F arch=b64 -S execve rules: audit log entry for useradd execution with full command line. If Sysmon for Linux is deployed: process creation event for useradd.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1136 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1136.001Local AccountT1136.002Domain AccountT1136.003Cloud AccountT1078Valid AccountsT1098Account ManipulationT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1047Windows Management InstrumentationT1059.001PowerShellT1562.001Disable or Modify Tools

Same Tactic: Persistence

Popular Detections