DC0014 User Account Creation
| Item | Value |
|---|---|
| ID | DC0014 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| auditd:SYSCALL | adduser |
| auditd:SYSCALL | useradd or adduser executed |
| AWS:CloudTrail | CreateUser |
| azure:audit | Add user |
| docker:daemon | ExecCreate + usermod or useradd |
| m365:unified | Add user |
| networkdevice:syslog | username |
| saas:okta | user.lifecycle.create |
| saas:slack | admin.user.create |
| saas:zoom | New user created |
| WinEventLog:Security | EventCode=4720 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0353 | Detection Strategy for Hidden User Accounts | T1564.002 |
| DET0383 | Detection Strategy for Masquerading via Account Name Similarity | T1036.010 |
| DET0583 | Detection Strategy for T1136 - Create Account across platforms | T1136 |
| DET0319 | Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office | T1136.003 |
| DET0447 | T1136.001 Detection Strategy - Local Account Creation Across Platforms | T1136.001 |
| DET0003 | T1136.002 Detection Strategy - Domain Account Creation Across Platforms | T1136.002 |