EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4720Audit SuccessSecurityT1136

Windows Event ID 4720User Account Created

Logged when a new user account is created in Active Directory or locally on a Windows system. Fires on the domain controller for AD accounts and on the local machine for local accounts. Every account creation — whether by IT provisioning or an attacker — generates this event.

MITRE ATT&CK

Technique

T1136 · Create Account

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Attackers create backdoor accounts to maintain persistent access that survives password resets, detection, and partial remediation. Unlike compromising an existing account, a new account can be named and configured to blend in — matching naming conventions, set with 'password never expires', or created with attributes that make it look like a service account. The critical pattern is 4720 + 4728 within seconds: account created, then immediately added to Domain Admins. This two-event sequence is the attacker establishing a domain-wide backdoor and is one of the highest-confidence persistence IOCs in Windows event logs.

Key Fields

New Account NameThe name of the created account — look for names that mimic existing naming conventions (svc_backup2, admin.helpdesk), system-looking names (windowsupdate, svchost$), or names that appear in HR/IT change records
New Account DomainThe domain where the account was created — unexpected domains or creation of local accounts on domain-joined servers are suspicious
Subject Account NameThe account that created the new user — should be a known IT admin or provisioning service account. An unexpected creator is as important a signal as the new account itself
Subject Logon IDLinks to the creator's 4624 session — correlate to check logon type and source IP. A creator session that itself originated from a brute-force success is evidence of post-compromise account creation
User Account Control flagsFlags set at creation time — 'Password Not Required', 'Password Never Expires', and 'Account Disabled' (created dormant for later activation) are all attacker-favored configurations

Investigation Tips

  1. 1.Verify every 4720 against HR records and IT change tickets — account creation should never happen outside a documented provisioning process. Any unrecognized 4720 should be investigated immediately.
  2. 2.Backdoor sequence: 4720 immediately followed by 4728 (Domain Admins) or 4732 (local Administrators) within 60 seconds, both events sharing the same Subject Account Name. This is the attacker establishing persistence — treat it as a critical incident.
  3. 3.Validate the Subject Account Name: unexpected creators (a service account, a workstation account, or an account that isn't part of your IT provisioning workflow) indicate the creator account was itself compromised. Trace the creator's session via Subject Logon ID.
  4. 4.Naming camouflage: check whether the new account name resembles existing accounts — attackers study the environment first. 'john.smith2', 'svc_monitor_bkp', or 'IT.helpdesk' in an environment with similar names should trigger the same scrutiny as an obvious 'hacker123'.
  5. 5.Account created disabled (then activated later via 4722) is a low-and-slow persistence technique — the account sits dormant and is activated weeks or months later when the attacker needs it. Watch for 4720 events where the account is immediately disabled, then 4722 events for the same account much later.
  6. 6.Check for 4624 logons from the new account immediately after creation — if the account is used within minutes, the attacker is actively operating. A new account that goes days without a logon may be a sleeper.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — alert on unexpected account creation and the high-confidence backdoor sequence (4720 + 4728 to Domain Admins within 60 seconds).

// All account creation events — filter to non-provisioning actors
SecurityEvent
| where EventID == 4720
| where SubjectAccount !in ("known-provisioning-account", "SYSTEM")
| project TimeGenerated, SubjectAccount, NewAccount=TargetAccount,
    NewAccountDomain=TargetDomainName, Computer
| sort by TimeGenerated desc

// Backdoor account IOC: new account + Domain Admins addition within 60 seconds
let creates = SecurityEvent
| where EventID == 4720
| project t0=TimeGenerated, SubjectAccount, NewAccount=TargetAccount;
let adds = SecurityEvent
| where EventID == 4728
| where TargetUserName has_any ("Domain Admins", "Enterprise Admins")
| project t1=TimeGenerated, SubjectAccount, AddedUser=MemberName;
creates
| join kind=inner adds on SubjectAccount
| where abs(datetime_diff('second', t1, t0)) <= 60
| project t0, t1, SubjectAccount, NewAccount, Computer

Related Event IDs

4728Added to global group — 4720 + 4728 within seconds = backdoor account IOC
4732Added to local Administrators — local escalation immediately after creation
4722Account enabled — dormant account activated after creation
4624Successful logon — check for immediate logon by the new account
4725Account disabled — may follow creation if attacker creates a sleeper account

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4720

See Event ID 4720 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user account created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →