Windows SecurityAccount ManagementEnhanced Analysis

Event 4720: A user account was created.

Quick Answer

Event 4720 logs the creation of new user accounts on Windows systems or Active Directory. Attackers create accounts for persistence and backdoor access. Monitoring this event helps detect unauthorized account creation, especially accounts added to privileged groups.

Technical Details

Windows Security Source

Event ID: 4720

Windows Security- Account Management

Event Description

A user account was created.

Analyst Notes & Scenarios

  • Monitor creations outside of standard procedures or by non-admin users.
  • Check SubjectUserName (who created it) and TargetUserName (what was created).
  • Often seen during legitimate admin activity, but also by attackers for persistence.

Key Log Fields

  • TargetUserName - Name of the created account
  • TargetDomainName - Domain where account was created
  • TargetSid - SID of the new account
  • SubjectUserName - Account that created the new user
  • SubjectDomainName - Domain of the creating account
  • SubjectLogonId - Logon ID for correlation
  • SamAccountName - SAM account name
  • UserPrincipalName - UPN of the new account
  • UserAccountControl - Account control flags (hex value)

MITRE ATT&CK® Mapping (3)

T1136persistence
Create Account

Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

T1136.001persistence
Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

T1136.002persistence
Domain Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Event Comparison

Event 4720 often precedes Event 4732 (Member Added to Security Group) when attackers escalate privileges of newly created accounts.

What This Event Means

Event 4720 is generated whenever a new user account is created in Windows, whether locally on a workstation or in Active Directory domain services. This event captures who created the account, the new account name, and various account properties including group memberships and privilege assignments. For enterprise environments, this event is critical for detecting unauthorized account creation, which is a common persistence technique used by threat actors to maintain long-term access to compromised networks. Attackers often create accounts with innocuous names that blend in with legitimate service accounts or user accounts, sometimes mimicking naming conventions to avoid detection. The event also reveals if the newly created account was immediately added to sensitive groups like Domain Admins, Enterprise Admins, or local administrators. Security teams should establish strict baselines for account creation, as in mature environments new accounts are typically created through formal provisioning processes tied to HR systems or ticketing workflows. Any account creation outside these processes, especially accounts created during off-hours or by non-HR administrative accounts, should trigger immediate investigation. The combination of Event 4720 with subsequent logon activity (4624) from the new account helps analysts identify whether created accounts are actually being used for malicious purposes.

Security Implications

  • Accounts created outside normal business hours or without corresponding provisioning tickets indicate backdoor account creation
  • New accounts immediately added to privileged groups suggest attacker-created administrator backdoors
  • Account names that mimic legitimate system accounts or services ('svc-backup2', 'admin$') are typical attacker tactics
  • Multiple accounts created in rapid succession may indicate automated attack tools or mass compromise
  • Service account creation from non-standard administrative accounts can signal unauthorized access

Detection Strategies

Implement alerting for all account creation events and correlate with authorized change management processes. Flag any account created outside standard provisioning tools or by unauthorized administrators. Monitor for accounts added to sensitive groups within minutes of creation. Alert on accounts created with suspicious names, especially those with special characters or names similar to existing privileged accounts. Track accounts that are created but never used for logon, as these may be dormant backdoors. Cross-reference new account creation with HR onboarding data to identify illegitimate accounts. For domain environments, ensure all 4720 events on domain controllers are logged and alerted. Comprehensive detection rules for various SIEM platforms will be added in future releases.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • APT41 consistently creates accounts named after system services to establish persistence in compromised environments

  • Hafnium threat group created administrator accounts on Exchange servers during their 2021 campaign exploiting ProxyLogon vulnerabilities

  • Conti ransomware operators create local administrator accounts on domain controllers to facilitate domain-wide ransomware deployment

Contents