Detectionlowtest

Local User Creation

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Patrick BareissCreated Thu Apr 18Updated Sun Jan 1766b6be3d-55d0-4f47-9855-d69df21740eawindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4720
    condition: selection

False Positives

Domain Controller Logs

Local accounts managed by privileged account management tools

References

Resolving title…

patrick-bareiss.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1136.001 · Local Account

Rule Metadata

Rule ID

66b6be3d-55d0-4f47-9855-d69df21740ea

Status

test

Level

low

Type

Detection

Created

Thu Apr 18

Modified

Sun Jan 17

Author

Patrick Bareiss

Path

rules/windows/builtin/security/win_security_user_creation.yml

Raw Tags

attack.persistenceattack.t1136.001

View on GitHub