Adversary uses built-in OS tools or API calls to create local or domain accounts for persistence or lateral movement. Tools such as 'net user', PowerShell, or MMC snap-ins may be used. Detection focuses on Event ID 4720 paired with process lineage and user context.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | WinEventLog:Security | EventCode=4720 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Correlation between Event ID 4720 and creating process may vary by environment and automation delays |
| ParentProcessName | Tools like net.exe or powershell.exe can be normal or malicious depending on user context |
| UserContext | System vs. administrator vs. low-privilege user context changes alert criticality |
Adversary invokes 'useradd', 'adduser', or equivalent system commands or scripts to create local users. Detection focuses on command execution and audit trail of passwd/shadow file modifications.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | auditd:SYSCALL | useradd or adduser executed |
| File Modification (DC0061) | auditd:SYSCALL | chmod/chown to /etc/passwd or /etc/shadow |
| Field | Description |
|---|---|
| BinaryPath | Custom scripts or renamed binaries may evade simple path-based detection |
| ExecutionTime | Account creation outside maintenance windows may indicate compromise |
Adversary creates new users using 'dscl' commands, GUI tools, or by modifying user plist files. Detection includes monitoring dscl invocation and user-related plist changes.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | dscl . -create |
| File Modification (DC0061) | macos:unifiedlog | modification to /var/db/dslocal/nodes/Default/users/ |
| Field | Description |
|---|---|
| UsernamePattern | Attackers may use service-like names to hide malicious accounts |
| ExecutionSource | Accounts created via Terminal vs GUI vs remote session can affect confidence |
Adversary creates users via IAM/IdP API or portal (e.g., Azure AD, Okta). Detection involves monitoring API calls, admin action logs, and correlation with role assignments.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | azure:audit | Add user |
| Field | Description |
|---|---|
| AdminThreshold | Trigger alert only when account is assigned privileged roles |
| AutomationExemptions | Exclude accounts from known automation processes or provisioning pipelines |
Account creation via cloud service APIs or CLI, often associated with key generation. Monitored via CloudTrail or equivalent audit logs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | AWS:CloudTrail | CreateUser |
| User Account Modification (DC0010) | AWS:CloudTrail | AttachUserPolicy |
| Field | Description |
|---|---|
| Region | Alert on account creation outside expected geographies |
| ServiceScope | Filter on creation of users scoped to sensitive services |