Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0006: Analytic 0006

Adversary uses built-in tools such as 'net user /add /domain' or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.

EnterpriseAN0006AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unauthorized domain account creation can create durable access to the business. The supplied ATT&CK object focuses on a Windows domain-controller pattern: suspicious built-in tool execution, such as net user or PowerShell, followed by a user account creation event on the same host. For leaders, the decision value is whether the organization can prove it sees and investigates new domain users created from domain controllers, especially when preceded by unusual administrative command execution.

Executive priority

Treat this as an identity resilience and SOC readiness validation item. Executives and security leaders should ask whether new domain account creation is logged, centrally collected, reviewed, and tied to accountable change processes. The priority is not only detection logic, but audit evidence: can the team distinguish approved administration from suspicious account creation quickly enough to support incident response decisions?

Technical view

For Windows environments with domain controllers, validate correlation between process execution telemetry on the domain controller and Windows Security Event ID 4720 for user account creation on the same host. Focus review on built-in administration paths referenced by the object, including net user account creation and PowerShell-based account creation. Because ATT&CK supplies no formal detection logic and no tactic mapping for this analytic, teams should tune locally around authorized admin workflows, service desk processes, privileged admin hosts, and expected domain controller management patterns.

Likely telemetry

  • Windows Security Event ID 4720 for user account creation
  • Process execution telemetry from domain controllers
  • Command-line arguments for built-in Windows administration tools where collected
  • PowerShell execution telemetry where collected
  • Host identity and timestamp correlation for events occurring on the same domain controller

Detection direction

  • Confirm domain controller security logs are collected centrally and retain Event ID 4720.
  • Confirm process creation and command-line telemetry is available from domain controllers; without it, the behavior chain is only partially observable.
  • Correlate suspicious process execution on a domain controller with subsequent user account creation on the same host.
  • Tune expected administrative activity to reduce false positives, including approved identity administration, onboarding, break-glass procedures, and scripted account provisioning.
  • Review events without clear change-control evidence as higher priority, especially when the creating process or account is unusual for the environment.

Mitigation priorities

  • Establish and enforce approved workflows for domain user creation, including change records and privileged accountability.
  • Restrict who can create domain users and periodically review delegated account-creation rights.
  • Harden monitoring on domain controllers so account creation and relevant process execution are both collected and protected from tampering.
  • Validate incident response playbooks for unauthorized domain account creation, including rapid account disablement, privilege review, and scope assessment.
  • Use the analytic as compliance evidence by demonstrating that privileged identity changes are logged, reviewed, and correlated with administrative activity.
Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied fields identify Windows as the platform and describe a domain-controller behavior chain involving suspicious process execution followed by Event ID 4720 on the same host. No relationship context, aliases, tactics, or official detection logic were supplied, so local engineering is required to convert the concept into production detections.

The object does not provide official detection logic, severity, tactics, related techniques, data components, or relationships. This take cannot assert active exploitation, attribution, impact, or coverage. Detection quality depends on local Windows audit policy, domain-controller telemetry, process command-line capture, PowerShell visibility, and change-management evidence.

Official MITRE ATT&CK definition

Analytic 0006

Adversary uses built-in tools such as 'net user /add /domain' or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
46e7cdbcae09ff07...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 46e7cdbcae09…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use