Windows Event ID 4720 — User Account Created

MITRE ATT&CK

Why It Matters

Attackers create backdoor accounts to maintain persistent access that survives password resets, detection, and partial remediation. Unlike compromising an existing account, a new account can be named and configured to blend in — matching naming conventions, set with 'password never expires', or created with attributes that make it look like a service account. The critical pattern is 4720 + 4728 within seconds: account created, then immediately added to Domain Admins. This two-event sequence is the attacker establishing a domain-wide backdoor and is one of the highest-confidence persistence IOCs in Windows event logs.

Key Fields

Investigation Tips

1. 1.Verify every 4720 against HR records and IT change tickets — account creation should never happen outside a documented provisioning process. Any unrecognized 4720 should be investigated immediately.
2. 2.Backdoor sequence: 4720 immediately followed by 4728 (Domain Admins) or 4732 (local Administrators) within 60 seconds, both events sharing the same Subject Account Name. This is the attacker establishing persistence — treat it as a critical incident.
3. 3.Validate the Subject Account Name: unexpected creators (a service account, a workstation account, or an account that isn't part of your IT provisioning workflow) indicate the creator account was itself compromised. Trace the creator's session via Subject Logon ID.
4. 4.Naming camouflage: check whether the new account name resembles existing accounts — attackers study the environment first. 'john.smith2', 'svc_monitor_bkp', or 'IT.helpdesk' in an environment with similar names should trigger the same scrutiny as an obvious 'hacker123'.
5. 5.Account created disabled (then activated later via 4722) is a low-and-slow persistence technique — the account sits dormant and is activated weeks or months later when the attacker needs it. Watch for 4720 events where the account is immediately disabled, then 4722 events for the same account much later.
6. 6.Check for 4624 logons from the new account immediately after creation — if the account is used within minutes, the attacker is actively operating. A new account that goes days without a logon may be a sleeper.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — alert on unexpected account creation and the high-confidence backdoor sequence (4720 + 4728 to Domain Admins within 60 seconds).

// All account creation events — filter to non-provisioning actors
SecurityEvent
| where EventID == 4720
| where SubjectAccount !in ("known-provisioning-account", "SYSTEM")
| project TimeGenerated, SubjectAccount, NewAccount=TargetAccount,
    NewAccountDomain=TargetDomainName, Computer
| sort by TimeGenerated desc

// Backdoor account IOC: new account + Domain Admins addition within 60 seconds
let creates = SecurityEvent
| where EventID == 4720
| project t0=TimeGenerated, SubjectAccount, NewAccount=TargetAccount;
let adds = SecurityEvent
| where EventID == 4728
| where TargetUserName has_any ("Domain Admins", "Enterprise Admins")
| project t1=TimeGenerated, SubjectAccount, AddedUser=MemberName;
creates
| join kind=inner adds on SubjectAccount
| where abs(datetime_diff('second', t1, t0)) <= 60
| project t0, t1, SubjectAccount, NewAccount, Computer

Related Event IDs

Frequently Asked Questions

Why is Event ID 4720 suddenly appearing in my logs?

Either a new user account was legitimately provisioned (HR onboarding, service account for a new application), or an attacker created a backdoor account. Check the Subject Account Name field — the account that created the new account. If it's a known admin account during business hours, it is likely legitimate. If it's an unexpected account, a service account, or if it occurred outside business hours, investigate immediately. Also check whether 4728 (added to group) fires within 60 seconds on the same new account — the 4720+4728 sequence is the automated backdoor creation IOC.

Is Event ID 4720 always a sign of an attack?

No — every new employee and every new service account generates a 4720. The signal is in context: who created it (Subject Account Name), when, from which workstation, and what happened next. Backdoor accounts typically follow a pattern: creation by an unexpected account → immediate group membership change (4728) → immediate logon (4624) → no subsequent HR ticket. Legitimate accounts are created by IT admin accounts, during business hours, and followed by expected onboarding activity. Alert on creation by non-admin accounts, creation followed immediately by privileged group addition, and accounts created with naming patterns that camouflage them (e.g. 'svcUpdate', 'adminhelp', 'DESKTOP-01').

What is a 'sleeper account' and how do I detect it using Event ID 4720?

A sleeper account is created and then left dormant — no immediate logon or group changes that would trigger alerts. The attacker waits days or weeks before using it, betting that security teams only investigate accounts that show immediate suspicious activity. Detect sleepers by baselining new account creation: if a 4720 fires but no corresponding 4624 or 4728 follows within the expected onboarding window (48–72 hours), flag it for review. Also watch for accounts with UserAccountControl flags that indicate they are enabled (flag 0x200 = normal account, 0x10000 = password never expires — attackers often set both for longevity).

What's the difference between Event ID 4720 and 4728?

Event 4720 fires when a new user account object is created in Active Directory. Event 4728 fires when an account is added to a global security group (most commonly Domain Admins, Domain Users, etc.). They are related but distinct: 4720 tracks account existence, 4728 tracks privilege assignment. A backdoor Domain Admin requires both — creation (4720) followed by group membership (4728). Either alone is less alarming; the combination within 60 seconds is the high-confidence IOC. Monitor for both, correlate them on the new account's username, and alert on the sequence.