DC0014: User Account Creation
The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.
Analyst context for executives and security teams
User Account Creation is a foundational identity event: a new user, service, or machine account appears in an operating system, cloud environment, or identity management system. For leaders, its value is not that every new account is suspicious, but that unmanaged account creation can quickly change who or what can access business systems. This data component helps validate whether identity governance, SOC monitoring, and incident response teams can see new access being introduced across the environment.
Executive priority
Prioritize this as an identity control and audit-evidence question: can the organization prove who created new accounts, why they were created, what privileges they received, and whether creation followed approved process? Gaps affect business resilience because unauthorized or poorly governed accounts can undermine access control, incident containment, compliance reporting, and cloud or enterprise administration oversight.
Technical view
SOC, detection engineering, IAM, cloud security, and IR teams should confirm that account-creation events are collected from relevant operating systems, cloud environments, and identity management systems. Because ATT&CK provides no specific detection logic, platforms, tactics, or relationship context for this object, teams should map local sources to this data component and validate fields such as creator, created account, account type, timestamp, source system, initial group or role assignment, and approval/change context.
Likely telemetry
- Identity provider and directory audit logs for new user, service, or machine account creation
- Cloud control-plane or IAM audit logs showing new principals or identities
- Operating system security logs that record local or domain account creation
- Privileged access management or identity governance workflow records for approval context
- Change management tickets or HR/provisioning system records to distinguish expected from unexpected creation
Detection direction
- Validate that account-creation events are ingested from all authoritative identity locations, not only the primary directory.
- Correlate new account creation with approval, HR onboarding, service account request, or change-management records to reduce false positives.
- Tune for higher-risk context such as creation by unusual administrators, creation outside standard windows, unexpected service or machine accounts, or accounts immediately receiving elevated access; confirm these patterns against local policy before alerting.
- Check blind spots in cloud identity, local administrator accounts, non-human accounts, and disconnected identity stores.
- For incident response, preserve account creation logs and related privilege assignment events so investigators can reconstruct how access was introduced.
Mitigation priorities
- Maintain a documented and enforced account provisioning process for user, service, and machine accounts.
- Require accountable ownership and approval for new accounts, especially non-human and administrative accounts.
- Limit who can create accounts and periodically review those permissions.
- Integrate identity governance, change management, and logging so new accounts can be tied to a business purpose.
- Regularly audit newly created and dormant accounts, with priority on privileged or externally accessible identities.
Analyst notes and limits
This is a data component, not a technique. Its practical value is in confirming whether defenders have the telemetry needed to observe account lifecycle changes across operating systems, cloud environments, and identity management systems. The supplied ATT&CK object has no relationship context, no platform list, and no official detection text, so local architecture and logging configuration determine coverage.
The official fields only define the data component and its broad scope. No ATT&CK detection guidance, tactics, platforms, related techniques, threat groups, or procedures were supplied. Any environment-specific detection logic, risk scoring, or control assessment requires local telemetry, identity architecture, and governance process evidence.
User Account Creation
The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 840655b2786e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.