Detects local user creation

Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.

Rule Content

- title: Detects local user creation
  id: 66b6be3d-55d0-4f47-9855-d69df21740ea
  description: Detects local user creation on windows servers, which shouldn't happen
    in an Active Directory environment. Apply this Sigma Use Case on your windows
    server logs and not on your DC logs.
  status: experimental
  tags:
  - attack.persistence
  - attack.t1136
  references:
  - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
  author: Patrick Bareiss
  logsource:
    product: windows
    service: security
    category: null
  detection:
    selection:
      EventID: 4720
    condition: selection
  fields:
  - EventCode
  - AccountName
  - AccountDomain
  falsepositives:
  - Domain Controller Logs
  - Local accounts managed by privileged account management tools
  level: low

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='event_id:"4720"')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()