Loading…

IT Security Blog

Click the button below to start exploring my website
Start exploring

Detecting Local User Creation in AD with Sigma

In this blog post, I will introduce a new Sigma Use Case detecting local user creation in an Active Directory (AD) environment. The creation of a new user creates a Windows Event Log of Type Security with the Event Code 4720. In an AD environment, only domain controller should create these Windows Event Logs.

By monitoring the Event Log 4720 on non domain controller, we are able to detect local user creation on windows servers:

title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
tags:
    - attack.privilege_escalation
    - attack.t1078
references:
    - http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
    condition: selection
fields:
    - EventCode
    - Account_Name
    - Account_Domain
falsepositives:
    - Domain Controller Logs
level: high

In order to test it, we create a local user on a non domain controller:

Subsequently, we run the Sigma Use Case in Splunk and were able to detect the event:

Thank you for reading.