EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4720T1136

Event ID 4720 — User Account Created

Event ID 4720 is logged when a new user account is created in Active Directory or on a local Windows system. While routine in normal operations, unauthorized account creation is a common attacker persistence technique.

MITRE ATT&CK

Technique

T1136 · Create Account

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Attackers who gain domain admin access frequently create new accounts as a backup persistence mechanism — if their primary access is detected and removed, the hidden account remains. These accounts are often given innocuous names to blend in and may be added directly to privileged groups. Unauthorized account creation should be treated as a high-severity indicator.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4720
Level:     Information

A user account was created.

Subject:
  Security ID:   CORP\Administrator
  Account Name:  Administrator
  Account Domain: CORP
  Logon ID:      0x3E7

New Account:
  Security ID:   CORP\svc-monitor
  Account Name:  svc-monitor
  Account Domain: CORP

Attributes:
  SAM Account Name: svc-monitor
  Display Name:     Service Monitor Account
  User Principal Name: -

Investigation Steps

  1. 1.Identify who created the account — was it a known admin performing a planned task, or an unexpected account?
  2. 2.Check the new account name — attackers often use service-account-style names (svc-, sys-, admin-) to blend in.
  3. 3.Look for Event ID 4728 or 4732 immediately after — the account may have been added to privileged groups.
  4. 4.Check whether the account was created during off-hours or during an active incident.
  5. 5.Verify the account against your HR/IT provisioning process — was a ticket raised for this account?
  6. 6.Check if the account has ever logged on (Event ID 4624) and from where.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Disable the suspicious account immediately pending investigation.
  • Audit all accounts created in the past 30 days against your provisioning records.
  • Check whether the account was added to any groups, especially privileged ones.
  • Enable alerting on Event ID 4720 — new account creation should always be reviewed.
  • Restrict who can create accounts — delegate account creation only to specific admin roles.
  • Implement account creation approval workflows to prevent unauthorized provisioning.

Related Event IDs

4728User added to global security group — attacker may immediately escalate the new account
4732User added to local group — check for Administrators group membership
4672Special privileges assigned — new account may have been given admin privileges
4624Successful logon — check if the new account has already been used

Related Detection Guides

Privilege EscalationLateral MovementEvent ID 4728 / 4732 — User Added to Privileged Group

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →