IncidentResponsev2

Monitor AD New Account Creation

Task Monitor for new Active Directory user account creation events

Conditions

Given access to a Domain Controller (DC), a domain account with appropriate permissions, and an incident response workstation with RSAT tools and PowerShell.

Operator Note: Monitoring and detecting new accounts in AD is critical during incident response to identify potential unauthorized accounts created by adversaries.

Standards

Team member identifies and implements appropriate monitoring method(s) to detect new AD user accounts.
Team member configures or queries event logs or AD to identify any new accounts created during incident timeframe.
Team member documents and reports findings to system owner for validation and follow-up action.

End State

All new accounts created during the timeframe of interest are identified, exported, and validated.

Notes

Event ID 4720 (“A user account was created”) is the standard logon event ID for user creation in Active Directory.
PowerShell and Event Viewer are primary methods for detection.
Security Information and Event Management (SIEM) tools are preferred when available for enterprise-scale detection.

Manual Steps

Method 1: Check Security Event Logs (Preferred)

On Domain Controller (locally or remotely)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=(Get-Date).AddDays(-7)} |
Select-Object TimeCreated, Id, Message |
Export-Csv .\NewAccounts.csv -NoTypeInformation

Operator Note: Adjust AddDays(-7) as needed to specify timeframe of incident.

Sample output entry:

A user account was created.

Subject:
    Security ID:        DOMAIN\Administrator
    Account Name:       Administrator
    Account Domain:     DOMAIN
    Logon ID:           0x1A8B2

New Account:
    Security ID:        DOMAIN\newuser
    Account Name:       newuser

Method 2: Live Check for Recently Created Accounts (Attribute Based)

Get-ADUser -Filter * -Properties whenCreated |
Where-Object { $_.whenCreated -ge (Get-Date).AddDays(-7) } |
Select-Object Name, SamAccountName, whenCreated |
Export-Csv .\RecentADAccounts.csv -NoTypeInformation

Operator Note: This queries based on AD object creation time.

Method 3: Enable Auditing (Optional for persistent monitoring)

Enable auditing of user account management:

Auditpol /set /category:"Account Management" /success:enable /failure:enable

Operator Note: This must be done in advance or during active incident monitoring.

Running Script

Example PowerShell for detection + export:

$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=(Get-Date).AddDays(-7)}
$events | Export-Csv ".\NewADAccounts.csv" -NoTypeInformation

Store this file in the incident response working folder for analysis and reporting.

Dependencies

Windows Server with AD Domain Services
RSAT tools with PowerShell access
Security Event Log access (requires Admin rights)

Other Available Tools

Tool	Platform	Use Case
PowerShell + Event Logs	Windows	Primary method for detection
PowerShell + Get-ADUser	Windows	Quick check based on whenCreated attribute
Event Viewer (GUI)	Windows	Manual review
SIEM (Splunk, Sentinel, etc.)	Windows/Linux	Enterprise level aggregation and monitoring
WMI Event Subscriptions (optional advanced use)	Windows	Real-time event capture (rarely used in IR)

Operator Recommendations and Additional Tools

Operator Checklist

Verify access to Domain Controller security logs.
Use PowerShell to pull all recent account creation events (ID 4720).
Cross-reference new accounts against valid provisioning records.
Validate “who created” and “when created” attributes.
Export report and notify system owner of any suspicious or unauthorized accounts.

Best Practices

Use Security Event Logs for reliable and auditable data.
Use AD attribute queries (whenCreated) to cross-validate events.
When possible, ingest AD security events into SIEM for automated detection.
Always validate account purpose before removing or disabling.

References

Microsoft Event ID 4720 Documentation
PowerShell Get-ADUser Cmdlet
Auditpol Command

Revision History

Date	Version	Description	Author
2025-05-02	1.0	Fully generated operator guide with event log monitoring, PowerShell procedures, tooling, checklist, best practices	Leo