AN1604: Analytic 1604
Adversary uses built-in OS tools or API calls to create local or domain accounts for persistence or lateral movement. Tools such as 'net user', PowerShell, or MMC snap-ins may be used. Detection focuses on Event ID 4720 paired with process lineage and user context.
Analyst context for executives and security teams
This analytic matters because unexpected Windows account creation can be an early sign that an intruder is preparing persistence or lateral movement. For business leaders, the decision point is whether the organization can quickly distinguish legitimate administration from unauthorized local or domain account creation before access becomes durable and harder to remove.
Executive priority
Prioritize this as an identity and incident-response readiness control for Windows environments. Leaders should ask whether account-creation events are collected, retained, reviewed with process and user context, and usable as audit evidence during an investigation. The value is not just alerting on Event ID 4720, but proving who created the account, from what host, by what tool or process, and whether the action matched an approved administrative workflow.
Technical view
For SOC and detection teams, validate monitoring for Windows account creation using Event ID 4720 enriched with process lineage and user context, as described by the analytic. Review whether account creation via built-in OS tools or administrative interfaces such as net user, PowerShell, or MMC snap-ins can be correlated to the initiating user, host, parent process, and administrative justification. Because no ATT&CK tactics or relationships are supplied, treat this as a focused Windows account-creation detection analytic rather than a broader behavior chain.
Likely telemetry
- Windows Security Event ID 4720 account creation events
- User and administrator identity context for the creator account
- Host context for where the account was created
- Process lineage or process creation telemetry related to account-management tools
- Command or script execution context where available for net user, PowerShell, or MMC-based administration
Detection direction
- Confirm Event ID 4720 is enabled, centralized, and retained for relevant Windows systems and domain controllers where applicable.
- Correlate account creation with process lineage and creator identity rather than alerting on the event in isolation.
- Tune for approved provisioning, help desk, and administrative workflows to reduce false positives while preserving visibility into unusual creators, hosts, or tools.
- Validate whether account creation through built-in tools, PowerShell, and MMC snap-ins produces sufficient telemetry in the environment.
- Investigate newly created accounts for privilege level, group membership changes, source host, and whether the creator account was expected to perform the action.
Mitigation priorities
- Establish and enforce approved workflows for local and domain account creation.
- Limit account-creation rights to appropriate administrative roles and periodically review who has those permissions.
- Require logging and retention sufficient to reconstruct account creation with user and process context.
- Include unauthorized account creation in incident response playbooks, including rapid disablement, ownership validation, and review of related access changes.
- Use audit evidence from account-creation monitoring to support compliance and identity governance reviews.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows account creation. Its strongest operational value is in identity control validation and investigation readiness: teams should be able to prove whether an account was created legitimately and what process initiated it. The object names Event ID 4720, built-in OS tools, PowerShell, and MMC snap-ins as relevant context.
Official detection text, tactics, labels, aliases, and relationship context were not supplied. This take does not infer adversary attribution, active exploitation, impact, or coverage beyond Windows and the described account-creation analytic. Local logging configuration and administrative processes are required to determine actual detection quality.
Analytic 1604
Adversary uses built-in OS tools or API calls to create local or domain accounts for persistence or lateral movement. Tools such as 'net user', PowerShell, or MMC snap-ins may be used. Detection focuses on Event ID 4720 paired with process lineage and user context.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f0c107887976… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1604Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.