In this blog post, I will introduce a new Sigma Use Case detecting local user creation in an Active Directory (AD) environment. The creation of a new user creates a Windows Event Log of Type Security with the Event Code 4720. In an AD environment, only domain controller should create these Windows Event Logs.
By monitoring the Event Log 4720 on non domain controller, we are able to detect local user creation on windows servers:
title: Detects local user creation description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. tags: - attack.privilege_escalation - attack.t1078 references: - http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss logsource: product: windows service: security detection: selection: EventID: 4720 condition: selection fields: - EventCode - Account_Name - Account_Domain falsepositives: - Domain Controller Logs level: high
In order to test it, we create a local user on a non domain controller:
Subsequently, we run the Sigma Use Case in Splunk and were able to detect the event:
Thank you for reading.