Skip to content

T1136: Create Account

Execution

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

net user test test123 /add /domain
{% endcode-tabs-item %} {% endcode-tabs %}

Observations

commandline arguments

There is a whole range of interesting events that could be monitored related to new account creation:

Details for the newly added account are logged as event 4720 :

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1136" %}