DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms
| Item |
Value |
| ID |
DET0003 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1136.002 (Domain Account)
Analytics
Windows
AN0006
Adversary uses built-in tools such as ‘net user /add /domain’ or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Detection triggers when Event ID 4720 follows a suspicious process within 2 minutes. |
| ParentProcessName |
Allow filtering of known admin tools vs adversarial misuse (e.g., net.exe, powershell.exe). |
| UserContext |
Filter accounts with domain admin privileges creating new users vs standard helpdesk roles. |
| HostRole |
Restrict to only domain controller hosts to reduce noise from workstations. |
Linux
AN0007
Adversary with access to domain management tools (e.g., realmd, samba-tool, ldapmodify) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.
Log Sources
Mutable Elements
| Field |
Description |
| DomainToolUsed |
realmd, samba-tool, ldapmodify or custom script |
| TrafficWindow |
Expected Kerberos traffic from new domain account within X minutes of command |
| SessionType |
Script execution from interactive shell vs scheduled task |
macOS
AN0008
macOS clients joined to AD via LDAP may script account provisioning via dsconfigad, dscl, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.
Log Sources
Mutable Elements
| Field |
Description |
| EnrollmentStatus |
Only flag on AD-bound systems with valid LDAP context |
| AccountType |
Distinguish between user accounts and computer accounts |