4720 A user account was created
Written when a new user account is created. It is a core account-management monitoring event for catching an attacker creating a rogue account (persistence/backdoor).
Overview
The subcategory is Audit User Account Management. It is generated when a new user object is created, recorded on domain controllers, member servers, and workstations alike. It includes the created account name, the creator, and initial attributes.
How it is triggered
- Account creation via
net user /add, AD user creation,New-LocalUser/New-ADUser, APIs, and so on.
Security review points
- After a breach, an attacker may create their own account as a backdoor for re-entry (persistence). Be especially wary if addition to an administrator-level group (4732) follows right after.
- Watch for deviations in the creating subject, time, and naming convention (outside business hours, names that do not follow convention). Also be alert to names that masquerade as service accounts or administrators.
- Together with the following enable 4722, password set, and group addition 4732, track the full sequence of account preparation.
Notes for log review
- It also occurs during legitimate onboarding and operations. Match against the creating subject (HR-system integration vs manual), target OU, and naming convention.
- Creation on a domain controller affects the whole domain. Monitor 4720 on DCs with particular focus.
Key fields
| Field | Meaning |
|---|---|
New Account\Account Name | The created account name |
Subject\Account Name | The subject that created the account |
SAM Account Name / attributes | The initially set attributes |