Detect Create Account in Splunk
Adversaries may create an account to maintain access to victim systems. With sufficient privilege, creating accounts establishes secondary credentialed access that does not require persistent remote access tools. Accounts may be created on local systems, within a domain, or in cloud tenants. Threat actors including Indrik Spider (WastedLocker), LockBit 2.0, Scattered Spider, and Salt Typhoon have all used account creation as a persistence mechanism. In cloud environments, attackers may create accounts with access limited to specific services to reduce detection likelihood.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/
SPL Detection Query
| union
[
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| eval NewAccountName=mvindex(split(Message, "Account Name:"), 2)
| eval NewAccountName=trim(mvindex(split(NewAccountName, "\n"), 0))
| eval CreatedBy=mvindex(split(Message, "Account Name:"), 1)
| eval CreatedBy=trim(mvindex(split(CreatedBy, "\n"), 0))
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour > 19, 1, 0)
| eval ShortName=if(len(trim(NewAccountName)) <= 3, 1, 0)
| eval RiskScore=OffHours + ShortName
| eval Source="Security-4720"
| table _time, host, EventCode, NewAccountName, CreatedBy, OffHours, ShortName, RiskScore, Source
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((Image="*\\net.exe" OR Image="*\\net1.exe") AND (CommandLine="* user *" AND CommandLine="*/add*"))
OR (Image="*\\wmic.exe" AND CommandLine="*useraccount*" AND CommandLine="*create*")
OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*New-LocalUser*" OR (CommandLine="*net user*" AND CommandLine="*/add*")))
OR Image="*\\useradd"
OR Image="*\\adduser"
| eval hour=tonumber(strftime(_time, "%H"))
| eval OffHours=if(hour < 7 OR hour > 19, 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval RiskScore=OffHours + SuspiciousParent
| eval Source="ProcessCreate"
| eval NewAccountName=""
| eval CreatedBy=User
| table _time, host, Image, CommandLine, ParentImage, User, OffHours, SuspiciousParent, RiskScore, Source
]
| sort - _timeDetects account creation using two branches unified with union. Branch 1 parses Windows Security Event 4720 from WinEventLog:Security to identify new account creation events, flagging short account names and off-hours activity. Branch 2 uses Sysmon Event ID 1 from XmlWinEventLog:Microsoft-Windows-Sysmon/Operational to catch process-based creation via net.exe /add, wmic useraccount create, New-LocalUser cmdlets, and Linux useradd/adduser commands. A composite risk score helps analysts triage based on off-hours timing and suspicious parent processes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT provisioning scripts that create service accounts or user accounts during onboarding workflows
- Software installers that create local service accounts (e.g., backup agents, monitoring tools like Datadog, SolarWinds)
- Automated testing infrastructure creating and removing ephemeral accounts
- Domain join processes that trigger account creation audit events
- Password reset or account management scripts using net.exe
Other platforms for T1136
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Local User Account via net.exe
Expected signal: Security Event 4720: 'A user account was created' with TargetUserName=df00tech-testacct, SubjectUserName=<running user>. Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine='net user df00tech-testacct P@ssw0rd123! /add'. Security Event 4722 (account enabled) may follow immediately.
- Test 2Create Local User via WMIC (Indrik Spider TTP)
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'useraccount'. Followed by net.exe process create. Security Event 4720 generated by the net user /add call. Parent process chain visible in Sysmon logs.
- Test 3Create Local User via PowerShell New-LocalUser
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'New-LocalUser'. Security Event 4720: new account df00tech-pstest created, SubjectUserName shows running user. PowerShell ScriptBlock Log Event ID 4104 will show the full New-LocalUser command with parameters.
- Test 4Linux Account Creation via useradd
Expected signal: Syslog / /var/log/auth.log: 'useradd: new user: name=df00tech-linuxtest, UID=<uid>, GID=<gid>'. If auditd is configured with -a always,exit -F arch=b64 -S execve rules: audit log entry for useradd execution with full command line. If Sysmon for Linux is deployed: process creation event for useradd.
References (9)
- https://attack.mitre.org/techniques/T1136/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.cisco.com/c/en/us/td/docs/security/salt-typhoon-advisory.html
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-account-management
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security
Unlock Pro Content
Get the full detection package for T1136 including response playbook, investigation guide, and atomic red team tests.