rules/windows/builtin/security/win_user_creation.yml

title: Local User Creation
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
status: test
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
author: Patrick Bareiss
references:
  - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
date: 2019/04/18
modified: 2021/01/17
logsource:
  product: windows
  service: security
detection:
  selection:
    Provider_Name: Microsoft-Windows-Security-Auditing
    EventID: 4720
  condition: selection
fields:
  - EventCode
  - AccountName
  - AccountDomain
falsepositives:
  - Domain Controller Logs
  - Local accounts managed by privileged account management tools
level: low
tags:
  - attack.persistence
  - attack.t1136.001
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: Local User Creation`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 66b6be3d-55d0-4f47-9855-d69df21740ea`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
			`description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.`
New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00			`author: Patrick Bareiss`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2019/04/18`
Adjusted modified field to current date 2022-01-17 14:18:33 +01:00			`modified: 2021/01/17`
New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: windows`
			`service: security`
New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
Adjust case sensitivity of Provider_Name field 2022-01-17 10:36:09 +01:00			`Provider_Name: Microsoft-Windows-Security-Auditing`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`EventID: 4720`
			`condition: selection`
New Sigma rule detecting local user creation 2019-04-18 19:59:43 +02:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- EventCode`
			`- AccountName`
			`- AccountDomain`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Domain Controller Logs`
			`- Local accounts managed by privileged account management tools`
Further improved Windows user creation rule 2019-04-21 23:54:18 +02:00			`level: low`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.persistence`
			`- attack.t1136.001`