🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Event IDs
  3. Authentication / Account

4720 - Account Creation

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Event ID 4720 is a critical event in the Windows Security Event Log that signifies the creation of a user account. This event is part of the audit category related to user account management, which falls under the security auditing capabilities of Windows. Monitoring and analyzing this event is essential for security professionals to detect, investigate, and respond to unauthorized account creation, which can be an indicator of a security breach or insider threat.

The event is logged by the Security subsystem of Windows when the audit policy for "Audit User Account Management" is enabled, and a new user account is created on the system.

Category: Audit User Account Management

Significance:

  • Security Implications: Unauthorized account creation is a common technique used by attackers to gain persistent access to a system or network, escalate privileges, or facilitate lateral movement.

  • Compliance and Operational Integrity: Ensuring that only authorized accounts are created and exist within an environment is critical for compliance with various regulatory standards and maintaining operational integrity.

Details Included in Event ID 4720

  • Subject: Information about the user or process that initiated the account creation, including the Security ID (SID), account name, domain name, and logon ID.

  • New Account Information: Details about the newly created account, such as the Security ID, account name, domain, and attributes.

  • Attributes: This includes additional properties of the created account like "User Principal Name", "Home Directory", "Home Drive", "Script Path", "Profile Path", etc., which provide further context about the account's intended use or configuration.

How to Use Event ID 4720 for Security

Detection and Alerting: Configuring security information and event management (SIEM) systems or other monitoring tools to alert on this event ID helps in early detection of potentially malicious activity.

Forensic Analysis: In the event of a security incident, forensic analysts can use this event to trace back unauthorized activities, understand the scope of an attack, or identify the method of compromise.

Account Management Audits: Regularly reviewing events related to account creation, modification, and deletion can help organizations enforce least privilege, ensure compliance, and detect signs of insider threats.

Best Practices for Monitoring Event ID 4720

  • Enable Detailed Auditing: Ensure that "Audit User Account Management" is enabled in your Group Policy settings to capture events related to user account management activities.

  • Regular Reviews: Incorporate the review of this event ID into regular security audits and monitoring routines.

  • Contextual Analysis: Always analyze this event in conjunction with other events and logs. For example, correlating it with events indicating privilege assignment (e.g., Event ID 4728 - A member was added to a security-enabled global group) can provide insights into potential escalation of privileges.

  • Alert Configuration: Configure alerts for unusual times (e.g., account creation outside of business hours) or high volumes of account creation events, which could indicate automated attacks or policy violations.

Limitations

While Event ID 4720 is a valuable indicator of account creation activities, it alone does not provide information on the legitimacy or authorization of the action. Additional context, correlation with other events, and understanding of the normal baseline are necessary for effective analysis.

Previous4672 - Special PrivilegesNext4722 - Account Enabled

Last updated 1 year ago

Was this helpful?