Skip to content

Hide Navigation Hide TOC

Local User Creation (66b6be3d-55d0-4f47-9855-d69df21740ea)

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Cluster A Galaxy A Cluster B Galaxy B Level
Local User Creation (66b6be3d-55d0-4f47-9855-d69df21740ea) Sigma-Rules Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2