title: Domain Account (T1136.002)
id: df00tech-t1136-002
status: experimental
description: "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. With sufficient privileges, the net user /add /domain command or PowerShell's New-ADUser cmdlet can be used to create domain accounts. Threat actors including GALLIUM, BlackByte, Wizard Spider, HAFNIUM, and Medusa Group have used this technique to establish persistent, credentialed access that does not require remote access tools to remain deployed."
references:
  - https://attack.mitre.org/techniques/T1136/002/
  - https://df00tech.com/detections/T1136.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1136.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Helpdesk and IT provisioning teams creating user accounts during onboarding workflows — especially common during business hours from known provisioning systems
  - "Automated identity provisioning systems (Okta, SailPoint, Microsoft Identity Manager) that create AD accounts via scripted processes using net.exe or LDAP"
  - Domain controller promotion and demotion processes that create service and machine accounts during infrastructure maintenance
  - Test account creation in dev/staging domains during application testing or DR exercises
  - "Software installation routines that create domain service accounts (SQL Server, Exchange, SharePoint setup)"
level: high