1. Home
  2. Detection Strategies
  3. T1136.002 Detection Strategy - Domain Account Creation Across Platforms

T1136.002 Detection Strategy - Domain Account Creation Across Platforms

Technique Detected:  Domain Account | T1136.002

ID: DET0003
Domains: Enterprise
Analytics: AN0006, AN0007, AN0008
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0006

Adversary uses built-in tools such as 'net user /add /domain' or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) WinEventLog:Security EventCode=4720
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TimeWindow Detection triggers when Event ID 4720 follows a suspicious process within 2 minutes.
ParentProcessName Allow filtering of known admin tools vs adversarial misuse (e.g., net.exe, powershell.exe).
UserContext Filter accounts with domain admin privileges creating new users vs standard helpdesk roles.
HostRole Restrict to only domain controller hosts to reduce noise from workstations.

AN0007

Adversary with access to domain management tools (e.g., realmd, samba-tool, ldapmodify) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execution of realmd, samba-tool, or ldapmodify with user-related arguments
User Account Authentication (DC0002) NSM:Flow TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process
Mutable Elements
Field Description
DomainToolUsed realmd, samba-tool, ldapmodify or custom script
TrafficWindow Expected Kerberos traffic from new domain account within X minutes of command
SessionType Script execution from interactive shell vs scheduled task

AN0008

macOS clients joined to AD via LDAP may script account provisioning via dsconfigad, dscl, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog dsconfigad or dscl with create or append options for AD-bound users
Logon Session Creation (DC0067) macos:unifiedlog UserLoggedIn
Mutable Elements
Field Description
EnrollmentStatus Only flag on AD-bound systems with valid LDAP context
AccountType Distinguish between user accounts and computer accounts