detection.wiki

Microsoft-Windows-Security-Auditing › Event 4720

Event ID 4720 — A user account was created.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Account Management → User Account Management
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

A user account was created.

Message #

A user account was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	Display Name: %10
	User Principal Name: %11
	Home Directory: %12
	Home Drive: %13
	Script Path: %14
	Profile Path: %15
	User Workstations: %16
	Password Last Set: %17
	Account Expires: %18
	Primary Group ID: %19
	Allowed To Delegate To: %20
	Old UAC Value: %21
	New UAC Value: %22
	User Account Control: %23
	User Parameters: %24
	SID History: %25
	Logon Hours: %26

Additional Information:
	Privileges		%8

Fields #

NameDescription
TargetUserName UnicodeString[New Account] Account Name.
TargetDomainName UnicodeString[New Account] Account Domain.
TargetSid SID[New Account] Security ID.
SubjectUserSid SID[Subject] Security ID.
SubjectUserName UnicodeString[Subject] Account Name.
SubjectDomainName UnicodeString[Subject] Account Domain.
SubjectLogonId HexInt64[Subject] Logon ID.
PrivilegeList UnicodeString[Additional Information] Privileges Privilege constants reference
SamAccountName UnicodeString[Attributes] SAM Account Name.
DisplayName UnicodeString[Attributes] Display Name.
UserPrincipalName UnicodeString[Attributes] User Principal Name.
HomeDirectory UnicodeString[Attributes] Home Directory.
HomePath UnicodeString[Attributes] Home Drive.
ScriptPath UnicodeString[Attributes] Script Path.
ProfilePath UnicodeString[Attributes] Profile Path.
UserWorkstations UnicodeString[Attributes] User Workstations.
PasswordLastSet UnicodeString[Attributes] Password Last Set.
AccountExpires UnicodeString[Attributes] Account Expires.
PrimaryGroupId UnicodeString[Attributes] Primary Group ID.
AllowedToDelegateTo UnicodeString[Attributes] Allowed To Delegate To.
OldUacValue UnicodeString[Attributes] Old UAC Value. UAC flags reference
NewUacValue UnicodeString[Attributes] New UAC Value. UAC flags reference
UserAccountControl UnicodeString[Attributes] User Account Control.
UserParameters UnicodeString[Attributes] User Parameters.
SidHistory UnicodeString[Attributes] SID History.
LogonHours UnicodeString[Attributes] Logon Hours.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4720,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:34.963101+00:00",
    "event_record_id": 2779,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "User",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "SamAccountName": "User",
    "DisplayName": "%%1793",
    "UserPrincipalName": "-",
    "HomeDirectory": "%%1793",
    "HomePath": "%%1793",
    "ScriptPath": "%%1793",
    "ProfilePath": "%%1793",
    "UserWorkstations": "%%1793",
    "PasswordLastSet": "%%1794",
    "AccountExpires": "%%1794",
    "PrimaryGroupId": "513",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "0x0",
    "NewUacValue": "0x15",
    "UserAccountControl": "\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084",
    "UserParameters": "%%1793",
    "SidHistory": "-",
    "LogonHours": "%%1797"
  },
  "message": ""
}

Detection Patterns #

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

  • Hidden Local User Creation source high: Detects the creation of a local hidden user account which should not happen for event ID 4720.
  • Suspicious Windows ANONYMOUS LOGON Local Account Created source high: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
  • Local User Creation source low: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Splunk # view in reference

  • Windows Create Local Account source: The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.

Kusto Query Language # view in reference

  • Fake computer account created source medium: 'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.'

References #