Create Account (T1136) is a MITRE ATT&CK technique in the Persistence tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to remain installed on the system. Accounts may be created on the local system or within a domain. In cloud environments, adversaries may create accounts within the victim cloud tenant to maintain access. Creating accounts is particularly valuable for persistence because it survives reboots, can be hidden from casual inspection, and provides a mechanism for returning to a compromised environment even after the initial foothold is remediated. Attackers often create accounts with names that blend in with legitimate accounts, use similar naming conventions to system accounts, or add themselves to existing groups to elevate privileges while minimizing the appearance of new account creation.
“Create Account is documented as technique T1136 in the MITRE ATT&CK knowledge base under the Persistence tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Create Account activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows Event ID 4720 for new local account creation and Event ID 4728 for additions to security-enabled global groups, alerting on account creation outside of established IT change management processes.
Track Active Directory changes for new user account creation, particularly accounts created outside business hours, accounts created by non-IT staff, or accounts immediately added to privileged groups like Domain Admins.
Monitor cloud platform audit logs for IAM user creation, service account creation, and privilege assignment events, correlating with change management records to identify unauthorized account creation.
Establish baseline account creation rates and alert on deviations, as attackers may create multiple accounts rapidly across different systems as part of establishing redundant persistence mechanisms.
Review newly created accounts for suspicious attributes such as long password expiration, no expiration date, membership in administrator groups, or creation from unusual source IP addresses.
These realistic alert examples show what Create Account looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Windows Event 4720 detected on finance workstation FIN-WS-042: new local user account "helpdesk_support" created, immediately followed by Event 4732 adding account to Administrators group. Account creation was performed by the currently logged-in user who does not have IT administrative responsibilities, suggesting post-compromise persistence.
Active Directory audit log shows new domain user account "svc_monitor_new" created at 02:34 AM by domain admin account "da_operations". The domain admin account logged in from an IP address in Ukraine, which is outside the organization approved remote access locations. The new account was added to the Domain Admins group 90 seconds after creation.
AWS CloudTrail detected CreateUser API call followed immediately by AttachUserPolicy attaching AdministratorAccess policy. The API calls originated from an access key belonging to a developer account that was compromised via phishing. The new IAM user has programmatic access and no MFA requirement, providing persistent administrative access to the cloud environment.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Create Account. Build detection skills with zero consequences — free forever.
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more