1. Home
  2. Data Components
  3. User Account Creation

User Account Creation

The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.

ID: DC0014
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
auditd:SYSCALL adduser
auditd:SYSCALL useradd or adduser executed
AWS:CloudTrail CreateUser
azure:audit Add user
docker:daemon ExecCreate + usermod or useradd
m365:unified Add user
networkdevice:syslog username privilege
saas:okta user.lifecycle.create
saas:slack admin.user.create
saas:zoom New user created
WinEventLog:Security EventCode=4720

Detection Strategy

ID Name Technique Detected
DET0353 Detection Strategy for Hidden User Accounts T1564.002
DET0383 Detection Strategy for Masquerading via Account Name Similarity T1036.010
DET0583 Detection Strategy for T1136 - Create Account across platforms T1136
DET0319 Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office T1136.003
DET0447 T1136.001 Detection Strategy - Local Account Creation Across Platforms T1136.001
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms T1136.002