Detecting Local User Creation in AD with Sigma
In this blog post, I will introduce a new Sigma Use Case detecting local user creation in an Active Directory (AD) environment. The creation of a new user creates a Windows Event Log of Type Security with the Event Code 4720. In an AD environment, only domain controller should create these Windows Event Logs.
By monitoring the Event Log 4720 on non domain controller, we are able to detect local user creation on windows servers:
title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
tags:
- attack.privilege_escalation
- attack.t1078
references:
- http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
condition: selection
fields:
- EventCode
- Account_Name
- Account_Domain
falsepositives:
- Domain Controller Logs
level: high
In order to test it, we create a local user on a non domain controller:
Subsequently, we run the Sigma Use Case in Splunk and were able to detect the event:
Thank you for reading.