Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0087: Active Directory Object Creation

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

- User Account Creation: New user account. - Group Creation: New security/distribution group. - OU Creation: New organizational unit. - Service Account Creation: New service account for automation or malicious tasks. - Trust Object Creation: Trust relationship with another domain.

EnterpriseDC0087Data ComponentObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Active Directory object creation is a high-value audit signal because new users, groups, OUs, service accounts, or trust relationships can materially change who has access and how the directory is governed. For leaders, this is less about a single Windows event and more about whether the organization can prove that directory changes are authorized, reviewed, and visible during an investigation.

Executive priority

Prioritize this data component as evidence for identity governance, incident response readiness, and compliance support. If the business cannot reliably explain who created new AD objects, when, and why, then privilege expansion, unauthorized service accounts, or risky trust changes may be difficult to detect or reconstruct. Executives should ask whether AD object creation is centrally logged, retained, reviewed, and tied to change-management or identity lifecycle processes.

Technical view

MITRE identifies this data component as creation of new Active Directory objects, including user accounts, groups, organizational units, service accounts, and trust relationships. The supplied ATT&CK description specifically notes Windows Security Event ID 5137 as the relevant log event. SOC and IR teams should validate that Event ID 5137 is collected from appropriate domain controller audit sources, normalized into the SIEM or detection platform, retained long enough for investigations, and enriched with actor, object type, object name, distinguished name, timestamp, and change context where available. No ATT&CK tactics, platforms, detection logic, or relationships were supplied, so local environment baselining is required.

Likely telemetry

  • Active Directory directory service change logs, specifically Event ID 5137 where available
  • Domain controller security audit logs for object creation events
  • SIEM-normalized records showing creator account, created object type, object name, distinguished name, and timestamp
  • Identity governance or change-management records that can corroborate approved account, group, OU, service account, or trust creation

Detection direction

  • Validate that Event ID 5137 is enabled, collected, and retained from the relevant Active Directory audit sources.
  • Baseline normal object creation patterns by administrative team, automation account, object type, and business process to reduce false positives.
  • Prioritize review of creation events involving privileged groups, service accounts, new OUs used for policy scope, and trust objects because these can affect access control and governance.
  • Correlate AD object creation with approval tickets, identity lifecycle events, and administrator activity to distinguish authorized provisioning from suspicious or unexplained changes.
  • Watch for blind spots such as incomplete domain controller coverage, short log retention, missing object attributes after normalization, and unmanaged automation that creates legitimate but noisy events.

Mitigation priorities

  • Ensure directory object creation is governed by documented identity lifecycle and change-management processes.
  • Restrict who can create sensitive AD objects such as privileged groups, service accounts, OUs, and trust relationships according to least privilege.
  • Require periodic review of newly created AD objects, especially accounts, groups, service accounts, and trusts.
  • Use centralized logging and retention for AD object creation events to support SOC triage, incident response, and audit evidence.
  • Align monitoring with business-approved provisioning workflows so alerts focus on unauthorized, unusual, or high-risk object creation.
Analyst notes and limits

This object is a data component, not an ATT&CK technique. Its value is as telemetry that supports detection, investigation, governance, and auditability around Active Directory changes. The official ATT&CK fields provide the event concept and Event ID 5137, but no detection guidance or relationship context was supplied.

The supplied object does not specify ATT&CK tactics, platforms, relationships, or official detection analytics. This take therefore does not infer adversary behavior, exploitation, attribution, or guaranteed coverage. Teams must validate applicability against their own Active Directory architecture, audit policy, log pipeline, retention, and identity governance processes.

Official MITRE ATT&CK definition

Active Directory Object Creation

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

- User Account Creation: New user account. - Group Creation: New security/distribution group. - OU Creation: New organizational unit. - Service Account Creation: New service account for automation or malicious tasks. - Trust Object Creation: Trust relationship with another domain.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
016c51cb5215b6f0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 016c51cb5215…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0087
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use