Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0583: Detection Strategy for T1136 - Create Account across platforms

DET0583 is MITRE’s detection strategy object for identifying account creation associated with ATT&CK technique T1136, Create Account. The business signific...

EnterpriseDET0583Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0583 is MITRE’s detection strategy object for identifying account creation associated with ATT&CK technique T1136, Create Account. The business significance is persistence: an adversary with enough access may create local, domain, or cloud-tenant accounts to preserve credentialed access without relying on malware or remote access tools. For leaders, this makes account creation monitoring a core identity, cloud, SOC, and incident response control area rather than a purely administrative audit item.

Executive priority

Prioritize this as an identity and access governance question: can the organization explain who is allowed to create accounts, where that can happen across Windows, Linux, macOS, and IaaS environments, and how quickly suspicious account creation would be reviewed? The object has no official MITRE detection text, so executives should ask for evidence of local implementation: logging coverage, alert logic, privileged account creation review, cloud tenant visibility, and incident response playbooks for unauthorized accounts.

Technical view

This detection strategy is tied by relationship to T1136 Create Account under the persistence tactic. SOC and detection teams should validate monitoring for new account creation across the related platforms supplied by ATT&CK: Windows, Linux, macOS, and IaaS. Because the detection strategy object does not provide official detection logic, teams should base validation on local authoritative sources for account lifecycle events, privilege assignment context, actor identity, source system, timing, and whether the account appears in expected provisioning workflows. IR teams should treat unexplained account creation as potential persistence until reconciled with change records or identity governance evidence.

Likely telemetry

  • Operating system account creation logs from Windows, Linux, and macOS where collected
  • Directory or domain account lifecycle events where applicable
  • Cloud/IaaS identity and tenant audit logs for user or service account creation
  • Privileged identity management or IAM change records
  • Account provisioning, HR, ticketing, or change-management records for business justification

Detection direction

  • Validate that account creation events are collected from each relevant platform named in the related technique: Windows, Linux, macOS, and IaaS.
  • Correlate new accounts with approved provisioning workflows to reduce false positives from normal onboarding, automation, and administrative maintenance.
  • Prioritize accounts created by unusual administrators, from unexpected systems or locations, outside normal change windows, or without a corresponding request record.
  • Watch for account creation followed by authentication, privilege assignment, or access to specific cloud services, since the related technique notes local, domain, and cloud-tenant account creation.
  • Identify blind spots where local system accounts, cloud service-specific accounts, or non-centralized identity stores are not included in SOC visibility.

Mitigation priorities

  • Define and enforce who can create local, domain, and cloud/IaaS accounts.
  • Require auditable approval and change records for account creation, especially privileged or service-specific accounts.
  • Centralize account lifecycle logging into the SOC or security data platform where feasible.
  • Regularly reconcile active accounts against expected business owners and provisioning sources.
  • Include suspicious or unauthorized account creation in incident response triage and containment procedures.
Analyst notes and limits

This object is a detection strategy for T1136 Create Account, but the supplied ATT&CK fields do not include an official description or official detection logic. The strongest usable context comes from the relationship to T1136, which identifies persistence behavior and the related platforms Windows, IaaS, Linux, and macOS. Any concrete analytic implementation must be derived from the organization’s identity architecture, logging sources, and account provisioning processes.

The detection strategy itself lists platforms and tactics as not specified and provides no official detection content. This take therefore avoids claiming specific coverage, exploitation, attribution, or guaranteed detection. Local validation is required to determine which identity stores, operating systems, and cloud services are actually monitored.

Official MITRE ATT&CK definition

Detection Strategy for T1136 - Create Account across platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1136 Create Account This object detects Create Account.
Relationship explorer

All related ATT&CK context

detects · Technique T1136: Create Account Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5e4c408a9efb4996...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5e4c408a9efb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0583
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use