Techniques
Sample rules
Windows User Account Creation
- source: elastic
- technicques:
- T1136
Description
Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain.
Detection logic
host.os.type:windows and event.module:("system" or "security") and (event.code:"4720" or event.action:"added-user-account")