Create Account

Persistence

Execution

attacker@victim
net user test test123 /add /domain

Observations

commandline arguments

There is a whole range of interesting events that could be monitored related to new account creation:

Details for the newly added account are logged as event 4720 :

References

LogoCreate Account, Technique T1136 - Enterprise | MITRE ATT&CKĀ®

PreviousSticky KeysNextAddMonitor()

Last updated