KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 20 AD Machine Account Quota Abuse

Query

// =========================================================
// RULE-20 | AD-Machine-Account-Quota-Abuse
// Description : Machine Account Quota bulk abuse — Event 5137
//               (Directory Service Object Created) showing
//               ≥3 computer objects created by the SAME
//               non-admin user within 1 hour.
//               By default, MachineAccountQuota = 10,
//               allowing any domain user to create up to 10
//               machine accounts. Attackers create these for:
//               - RBCD attacks (machine$ as the S4U principal)
//               - KrbRelayUp local escalation
//               - noPac SAMAccountName spoofing
//               - ShadowCredentials via controlled machine$
// Severity    : High → Critical when combined with RBCD or
//               coercion events in the same window
// Frequency   : Every 1 hour, look-back 1 hour
// MITRE       : T1136.001 — Create Account: Local Account
//               T1098      — Account Manipulation
// Tables      : SecurityEvent
// =========================================================

let LookBack       = 1h;
let MinAcctCreated = 3;      // ≥3 machine accounts in the window

// Known admin groups
let AdminAccounts = SecurityEvent
    | where TimeGenerated > ago(30d)
    | where EventID in (4728, 4732, 4756)
    | where TargetUserName has_any ("Domain Admins", "Enterprise Admins",
                                    "Administrators", "Account Operators")
    | summarize by AdminMember = tolower(MemberName);

// Machine account creation events
let MachineAccountCreations = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 5137
    | where ObjectClass =~ "computer"
    | extend
        CreatorNorm  = tolower(SubjectUserName),
        CreatorAcct  = strcat(SubjectDomainName, "\\", SubjectUserName),
        NewMachine   = ObjectDN;

// Find non-admin creators with ≥MinAcctCreated
MachineAccountCreations
| join kind=leftanti (AdminAccounts) on $left.CreatorNorm == $right.AdminMember
| where not(SubjectUserName =~ "SYSTEM" or SubjectUserName has "$")
| summarize
    AccountsCreated   = count(),
    MachineAccounts   = make_set(NewMachine, 20),
    EarliestCreation  = min(TimeGenerated),
    LatestCreation    = max(TimeGenerated),
    SourceHosts       = make_set(Computer, 5)
    by CreatorAcct, SubjectUserName, SubjectDomainName
| where AccountsCreated >= MinAcctCreated
| extend
    WindowMinutes = datetime_diff("minute", LatestCreation, EarliestCreation),
    Severity = case(
        AccountsCreated >= 7, "Critical",
        AccountsCreated >= 4, "High",
        "Medium"
    ),
    WhySuspicious = strcat(
        tostring(AccountsCreated), "_MachineAccounts_Created_By_NonAdmin; ",
        "Potential_RBCD_KrbRelayUp_noPac_Prep; ",
        "Creator: ", CreatorAcct, "; ",
        "Accounts: ", tostring(MachineAccounts)
    )
| project
    TimeGenerated    = LatestCreation,
    Severity,
    WhySuspicious,
    CreatorAcct,
    AccountsCreated,
    WindowMinutes,
    MachineAccounts,
    SourceHosts
| order by AccountsCreated desc

Explanation

This query is designed to detect potential abuse of machine account creation privileges in a Windows domain environment. Here's a simplified explanation:

  1. Purpose: The query aims to identify instances where a non-admin user creates three or more computer accounts within one hour. This behavior is suspicious because it could indicate malicious activities such as attacks or unauthorized access.

  2. Background: By default, any domain user can create up to 10 machine accounts. Attackers might exploit this to perform various attacks, including:

    • Resource-Based Constrained Delegation (RBCD) attacks
    • Local privilege escalation using KrbRelayUp
    • Spoofing SAMAccountName with noPac
    • Creating shadow credentials

  3. Severity: The severity of the alert is classified as "High" or "Critical" if combined with other suspicious events. The severity increases with the number of accounts created.

  4. Process:

    • The query looks back over the past hour to find machine account creation events (Event ID 5137) where the object class is "computer".
    • It excludes known admin accounts and system accounts from consideration.
    • It summarizes the data to find non-admin users who created three or more machine accounts.
    • It calculates the time window of these creations and assigns a severity level based on the number of accounts created.
    • It provides details on why the activity is suspicious, including the number of accounts created, potential attack preparations, and the creator's account information.

  5. Output: The query outputs a list of suspicious activities, including:

    • The time of the latest account creation
    • Severity level
    • Explanation of why the activity is suspicious
    • The account of the creator
    • Number of accounts created
    • Time window in minutes
    • List of machine accounts created
    • Source hosts involved

This query helps security teams monitor and respond to potential security threats related to machine account creation in their network.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

letagoinhas_anysummarizetolowerwhereextendstrcatjoinkind=leftantinot=~countmake_setminmaxby>=datetime_diffcasetostringprojectorder bydesc

Actions