title: Create Account (T1136)
id: df00tech-t1136
status: experimental
description: "Adversaries may create an account to maintain access to victim systems. With sufficient privilege, creating accounts establishes secondary credentialed access that does not require persistent remote access tools. Accounts may be created on local systems, within a domain, or in cloud tenants. Threat actors including Indrik Spider (WastedLocker), LockBit 2.0, Scattered Spider, and Salt Typhoon have all used account creation as a persistence mechanism. In cloud environments, attackers may create accounts with access limited to specific services to reduce detection likelihood."
references:
  - https://attack.mitre.org/techniques/T1136/
  - https://df00tech.com/detections/T1136
author: df00tech
date: 2026/04/18
tags:
  - attack.t1136
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT provisioning scripts that create service accounts or user accounts during onboarding workflows
  - "Software installers that create local service accounts (e.g., backup agents, monitoring tools like Datadog, SolarWinds)"
  - Domain join processes that create computer accounts triggering related audit events
  - Automated testing infrastructure that creates and removes ephemeral accounts
  - Password reset or account unlock scripts using net.exe that get flagged on the process branch
level: high