Skip to content

Hide Navigation Hide TOC

User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d)

The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.

Data Collection Measures:

  • Host-Based Logging
    • Windows Event Logs
      • Event ID 4720 – A new user account was created.
      • Event ID 4732/4735 – A user was added to a privileged group.
      • Event ID 4798 – Enumeration of user accounts.
    • Linux/macOS Authentication Logs
      • /var/log/auth.log, /var/log/secure – Logs useradd, adduser, passwd, and groupmod activities.
      • AuditD – Detects new account creation via PAM (useradd, usermod).
      • OSQuery – The users table tracks newly created accounts.
  • Cloud-Based Logging
    • Azure AD Logs
      • Azure AD Audit Logs – Tracks new user and service account creation.
      • Azure Graph API – Provides logs on new account provisioning.
    • AWS IAM & CloudTrail Logs
      • CreateUser, CreateRole – Tracks new IAM user creation.
      • AttachRolePolicy – Identifies privilege escalation via account creation.
    • Google Workspace & Office 365 Logs
      • Google Admin Console – Logs user creation in User Accounts API.
      • Microsoft 365 Unified Audit Log – Tracks new account provisioning.
  • Container & Network Account Creation Logs
    • Kubernetes Account Creation Logs
      • kubectl audit logs – Detects new service account provisioning.
      • GKE/Azure AKS Logs – Track new container service accounts.
Cluster A Galaxy A Cluster B Galaxy B Level
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 1
User Account Creation (deb22295-7e37-4a3b-ac6f-c86666fbe63d) mitre-data-component Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 2
Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2