DC0006: Web Credential Creation
Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
Analyst context for executives and security teams
Web Credential Creation is an ATT&CK data component describing evidence that new web credential material has been created. For leaders, its value is not as a standalone threat behavior, but as a coverage checkpoint: if the organization cannot reliably see when web credentials are newly created, SOC and incident response teams may struggle to validate account changes, investigate suspicious identity activity, or produce audit-ready evidence after an incident.
Executive priority
Prioritize this as an identity and evidence-readiness question: do security, IAM, and audit teams have trustworthy logs showing creation of new web credential material, and are those logs retained long enough for investigations? Because ATT&CK provides no associated techniques, tactics, platforms, or detection guidance here, this should be treated as a telemetry control validation item rather than proof of a specific adversary behavior.
Technical view
SOC and detection teams should inventory where web credential creation events are generated and whether those sources are ingested, normalized, timestamped, and tied to user, service, host, and application context. The official ATT&CK description gives Windows event examples, including EID 1200 and 4769, but the object does not define platforms or detection logic, so teams should validate relevance in their own environment before building alerts.
Likely telemetry
- Identity provider or directory service logs related to web credential material creation
- Authentication and ticketing logs where applicable, including the official examples Windows EID 1200 and 4769
- Application or web platform audit logs that record credential enrollment or creation
- Administrative activity logs showing who or what initiated credential creation
- SIEM-normalized identity event records with user, service, host, time, and source context
Detection direction
- First validate collection and retention rather than assume detection coverage; ATT&CK provides no official detection text for this data component.
- Confirm whether events distinguish legitimate enrollment, administrative provisioning, automated service activity, and unusual credential creation.
- Tune around expected lifecycle events such as onboarding, passwordless enrollment, application setup, or service account maintenance to reduce false positives.
- Correlate credential creation with nearby authentication, privilege, administrative, or account-change activity where local telemetry supports it.
- Document blind spots where credential creation occurs in applications, identity systems, or web services that do not forward audit events to the SOC.
Mitigation priorities
- Ensure credential creation events are logged at the authoritative identity, application, or directory source.
- Restrict who can create or enroll web credential material through least privilege and administrative workflow controls.
- Require reviewable approval or change evidence for high-risk credential creation paths where business process allows.
- Retain logs long enough to support incident response, compliance evidence, and identity investigations.
- Periodically test whether newly created credential material appears in central monitoring with sufficient context for triage.
Analyst notes and limits
This object is a data component, not a technique. Its main defensive value is helping teams verify whether they have evidence for an important class of identity activity. The absence of relationship context means it should not be mapped to a specific adversary objective without additional ATT&CK relationships or local incident evidence.
ATT&CK supplies only a short description and example event IDs. No official detection guidance, tactics, platforms, related techniques, or relationships were supplied, so environment-specific validation is required before defining alert logic or risk conclusions.
Web Credential Creation
Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 0cc0190383ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.