A threat actor may be attempting to escalate privileges by creating a new user and immediately adding them to the built-in administrators group to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
KQL Query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4720
| where AccountType == "User"
| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer),
CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid,
AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid
),
(WindowsEvent
| where EventID == 4720
| extend SubjectUserSid = tostring(EventData.SubjectUserSid)
| extend AccountType=case(EventData.SubjectUserName endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User")
| where AccountType == "User"
| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)
| extend Activity="4720 - A user account was created."
| extend TargetSid = tostring(EventData.TargetSid)
| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer),
CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid,
AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid
)
)
| join kind=inner
(
(union isfuzzy=true
(SecurityEvent
| where AccountType == "User"
// 4732 - A member was added to a security-enabled local group
| where EventID == 4732
// TargetSid is the builin Admins group: S-1-5-32-544
| where TargetSid == "S-1-5-32-544"
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount),
GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,
CreatedUserSid = MemberSid
),
( WindowsEvent
// 4732 - A member was added to a security-enabled local group
| where EventID == 4732 and EventData has "S-1-5-32-544"
//TargetSid is the builin Admins group: S-1-5-32-544
| extend SubjectUserSid = tostring(EventData.SubjectUserSid)
| extend AccountType=case(EventData.SubjectUserName endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User")
| where AccountType == "User"
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid == "S-1-5-32-544"
| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend Activity="4732 - A member was added to a security-enabled local group."
| extend MemberSid = tostring(EventData.MemberSid)
| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount),
GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,
CreatedUserSid = MemberSid
)
)
)
on CreatedUserSid
//Create User first, then the add to the group.
| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, CreatedUserAccountName, CreatedUserDomainName,
GroupAddTime, GroupAddEventID, GroupAddActivity, GroupName, GroupSid,
AccountUsedToCreateUser, SidofAccountUsedToCreateUser, CreatedByAccountName, CreatedByDomainName,
AccountThatAddedUser, SIDofAccountThatAddedUser, AddedByAccountName, AddedByDomainName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: aa1eff90-29d4-49dc-a3ea-b65199f516db
name: New user created and added to the built-in administrators group
description: |
'Identifies when a user account was created and then added to the builtin Administrators group in the same day.
This should be monitored closely and all additions reviewed.'
severity: Low
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvents
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098
- T1078
query: |
(union isfuzzy=true
(SecurityEvent
| where EventID == 4720
| where AccountType == "User"
| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer),
CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid,
AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid
),
(WindowsEvent
| where EventID == 4720
| extend SubjectUserSid = tostring(EventData.SubjectUserSid)
| extend AccountType=case(EventData.SubjectUserName endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User")
| where AccountType == "User"
| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)
| extend Activity="4720 - A user account was created."
| extend TargetSid = tostring(EventData.TargetSid)
| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer),
CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid,
AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid
)
)
| join kind=inner
(
(union isfuzzy=true
(SecurityEvent
| where AccountType == "User"
// 4732 - A member was added to a security-enabled local group
| where EventID == 4732
// TargetSid is the builin Admins group: S-1-5-32-54| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
WindowsEvent | Ensure this data connector is enabled |
Scenario: User account created for a new employee and added to Administrators group during onboarding
Filter/Exclusion: Check if the user account was created by the HR system or IT provisioning tool (e.g., Microsoft Azure AD Connect, Okta, or SCIM integration) and verify if the addition to the Administrators group was part of a standard onboarding process.
Suggested Filter: user_created_by == "HR_System" || user_created_by == "IT_Provisioning_Tool"
Scenario: Scheduled job or service account created and added to Administrators group for automation purposes
Filter/Exclusion: Identify if the account is a service account (e.g., SQLAgent or IIS APPPOOL) or part of a scheduled task (e.g., Task Scheduler or PowerShell job).
Suggested Filter: account_type == "service_account" || account_name contains "svc-" || account_name contains "task-"
Scenario: Temporary admin account created for troubleshooting and added to Administrators group
Filter/Exclusion: Check if the account is flagged as temporary or has a short expiration date (e.g., via Active Directory or Azure AD lifecycle management).
Suggested Filter: account_expiration_date < current_date + 7 days || account_flagged_as_temporary == true
Scenario: User account created during a system migration and added to Administrators group for access
Filter/Exclusion: Verify if the account was created as part of a migration tool (e.g., Microsoft Intune, Azure Migrate, or System Center Configuration Manager).
Suggested Filter: account_creation_source == "migration_tool" || account_creation_source == "SCCM"
**Scenario: User account created and added to Administrators group by a third-party tool during