1. Home
  2. Data Components
  3. Active Directory Object Creation

Active Directory Object Creation

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

  • User Account Creation: New user account.
  • Group Creation: New security/distribution group.
  • OU Creation: New organizational unit.
  • Service Account Creation: New service account for automation or malicious tasks.
  • Trust Object Creation: Trust relationship with another domain.
ID: DC0087
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail CreateAccessKey, ImportKeyPair, CreateLoginProfile, CreateKeyPair
azure:audit New device object creation
WinEventLog:Security Device Object Creation
WinEventLog:Security EventCode=4928

Detection Strategy

ID Name Technique Detected
DET0531 Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS T1098.001
DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse T1207
DET0036 Suspicious Device Registration via Entra ID or MFA Platform T1098.005