AN1235: Analytic 1235
Adversary uses built-in tools like 'net user /add', PowerShell, or WMI to create a local user. Sequence: Account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).
Analyst context for executives and security teams
This analytic matters because unexpected local account creation on Windows can turn a single compromised host into a more persistent access problem. The useful business question is not just whether Event ID 4720 exists, but whether the SOC can connect a new local user to the process that caused it, such as PowerShell, net.exe, or WMI-launched activity, quickly enough to support containment decisions.
Executive priority
Prioritize this as a Windows identity and incident-response readiness check. Leaders should ask whether endpoint and Windows security logging can prove who or what created a local account, whether that account was authorized, and whether responders have a clear process to disable or investigate it. This also supports audit and compliance evidence around privileged access governance and local account control.
Technical view
For Windows systems, validate correlation between account creation event 4720 and preceding process creation by potentially suspicious built-in tools such as powershell.exe or net.exe, with WMI also called out in the source description. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as a detection pattern to engineer and test locally rather than a complete rule. Key validation points are event timing, host correlation, process parent/child context, command-line visibility where available, and whether the created account is local and expected.
Likely telemetry
- Windows Security account creation events, especially Event ID 4720
- Process creation telemetry from Windows endpoints
- Process command-line and parent process metadata where collected
- PowerShell execution telemetry where enabled
- WMI-related process or activity telemetry where available
Detection direction
- Build or validate a sequence-based analytic: suspicious process creation followed by Windows account creation event 4720 on the same host within a defensible time window.
- Tune for legitimate administration, provisioning, helpdesk activity, software deployment, and break-glass account workflows to reduce false positives.
- Prioritize enrichment with actor identity, parent process, command line, host role, account naming patterns, and whether the new account is later added to privileged groups.
- Check blind spots: systems without process creation logging, missing command-line capture, inconsistent Windows Security auditing, or telemetry gaps on unmanaged endpoints.
- Because official detection content is not provided, document local detection assumptions and test coverage rather than assuming ATT&CK-provided completeness.
Mitigation priorities
- Confirm Windows auditing is enabled for local account creation and process creation on relevant endpoints.
- Restrict and monitor local account creation privileges according to administrative need.
- Maintain an approved process for local account provisioning, emergency access, and decommissioning so detections can distinguish authorized activity from suspicious activity.
- Ensure incident response playbooks include rapid validation, disabling, and review of newly created local accounts.
- Review endpoint coverage for Windows hosts where local account creation would create operational or compliance risk.
Analyst notes and limits
This object is a detection analytic, not a technique record. The supplied description provides the core behavioral sequence: built-in Windows tools such as net user /add, PowerShell, or WMI used to create a local user, with Event ID 4720 following suspicious process creation. There are no supplied relationships, aliases, labels, or tactic mappings, so the take focuses on defensible engineering and validation rather than broader ATT&CK context.
Official detection logic is not provided, and no relationships or tactics are supplied. This take cannot determine prevalence, adversary attribution, impact, or actual customer exposure. Local environment data is required to define suspicious processes, authorized administration patterns, time windows, and response severity.
Analytic 1235
Adversary uses built-in tools like 'net user /add', PowerShell, or WMI to create a local user. Sequence: Account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 890e6b36bc6b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1235Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.