Skip to content

DET0583 Detection Strategy for T1136 - Create Account across platforms

Item Value
ID DET0583
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1136 (Create Account)

Analytics

Windows

AN1604

Adversary uses built-in OS tools or API calls to create local or domain accounts for persistence or lateral movement. Tools such as ‘net user’, PowerShell, or MMC snap-ins may be used. Detection focuses on Event ID 4720 paired with process lineage and user context.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) WinEventLog:Security EventCode=4720
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TimeWindow Correlation between Event ID 4720 and creating process may vary by environment and automation delays
ParentProcessName Tools like net.exe or powershell.exe can be normal or malicious depending on user context
UserContext System vs. administrator vs. low-privilege user context changes alert criticality

Linux

AN1605

Adversary invokes ‘useradd’, ‘adduser’, or equivalent system commands or scripts to create local users. Detection focuses on command execution and audit trail of passwd/shadow file modifications.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) auditd:SYSCALL useradd or adduser executed
File Modification (DC0061) auditd:SYSCALL chmod/chown to /etc/passwd or /etc/shadow
Mutable Elements
Field Description
BinaryPath Custom scripts or renamed binaries may evade simple path-based detection
ExecutionTime Account creation outside maintenance windows may indicate compromise

macOS

AN1606

Adversary creates new users using ‘dscl’ commands, GUI tools, or by modifying user plist files. Detection includes monitoring dscl invocation and user-related plist changes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog dscl . -create
File Modification (DC0061) macos:unifiedlog modification to /var/db/dslocal/nodes/Default/users/
Mutable Elements
Field Description
UsernamePattern Attackers may use service-like names to hide malicious accounts
ExecutionSource Accounts created via Terminal vs GUI vs remote session can affect confidence

Identity Provider

AN1607

Adversary creates users via IAM/IdP API or portal (e.g., Azure AD, Okta). Detection involves monitoring API calls, admin action logs, and correlation with role assignments.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) azure:audit Add user
Mutable Elements
Field Description
AdminThreshold Trigger alert only when account is assigned privileged roles
AutomationExemptions Exclude accounts from known automation processes or provisioning pipelines

IaaS

AN1608

Account creation via cloud service APIs or CLI, often associated with key generation. Monitored via CloudTrail or equivalent audit logs.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) AWS:CloudTrail CreateUser
User Account Modification (DC0010) AWS:CloudTrail AttachUserPolicy
Mutable Elements
Field Description
Region Alert on account creation outside expected geographies
ServiceScope Filter on creation of users scoped to sensitive services