IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Windows User Account Creation
editWindows User Account Creation
editIdentifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
Version: 1
Rule authors:
- Skoetting
Rule license: Elastic License v2
Rule query
editevent.module:("system" or "security") and winlog.api:"wineventlog" and (event.code:"4720" or event.action:"added-user-account")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create Account
- ID: T1136
- Reference URL: https://attack.mitre.org/techniques/T1136/
-
Sub-technique:
- Name: Local Account
- ID: T1136.001
- Reference URL: https://attack.mitre.org/techniques/T1136/001/
-
Sub-technique:
- Name: Domain Account
- ID: T1136.002
- Reference URL: https://attack.mitre.org/techniques/T1136/002/