This note documents detection patterns related to User Changes within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4720	User account created	Critical	Core event for new local or domain user creation.
Security	4722	User account enabled	Critical	Detects activation of disabled account.
Security	4723	Password change attempted	High	Self-password modification.
Security	4724	Password reset attempted	Critical	Admin or attacker resets another account password.
Security	4725	User account disabled	High	Possible attacker cleanup or disruption.
Security	4726	User account deleted	Critical	Removal after abuse or cleanup.
Security	4738	User account changed	Critical	Attribute modification, including password and flags.
Security	4688	Process creation	High	Detects `net.exe`, PowerShell, `dsmod`, `wmic`.
Sysmon	1	Process creation	Critical	Best execution source for user modification tooling.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
New admin-capable user appears	Fresh account with later privilege assignment	Critical	Persistence or escalation signal.
Dormant account enabled	Previously unused account activated	Critical	Strong attacker tactic.
Password reset on service/admin account	Sensitive account targeted	Critical	Lateral movement clue.
User created then immediate logon	Fast operational use	Critical	Strong malicious chain.
User deleted after short lifespan	Temporary persistence account	High	Cleanup clue.
Attribute changes outside admin window	Odd time / host	High	Strong anomaly.

Common Tools

Tool	Usage
net.exe	User create / modify
net1.exe	Legacy account manipulation
PowerShell	New-LocalUser / Set-LocalUser
dsadd.exe	Domain user creation
dsmod.exe	Domain user modification
lusrmgr.msc	GUI local account changes
Active Directory Users and Computers	GUI domain changes

Relevant Artifacts

Security Event IDs 4720, 4722, 4723, 4724, 4725, 4726, 4738
Security Event ID 4688
Sysmon Event ID 1
Prefetch:
- NET.EXE
- POWERSHELL.EXE
- DSADD.EXE
- DSMOD.EXE
Amcache / ShimCache
EDR process tree
Account logon events after change

MITRE ATT&CK References

T1136 Create Account
T1098 Account Manipulation
T1078 Valid Accounts

Decision Tree

What changed?
- Create
- Enable
- Reset
- Delete
Which account affected?
- Admin
- Service
- Dormant
- New user
Which process executed change?
- net.exe
- PowerShell
- AD tooling
Follow-up activity?
- Logon
- Group add
- RDP / SMB use
Expand:
- Privilege assignment
- Lateral movement
- Persistence
Scope:
- Single account
- Multiple users
- Domain-wide changes

Example Detection Templates

KQL

SecurityEvent
| where EventID in (4720,4722,4724,4726,4738)
| project TimeGenerated, Computer, Account, TargetAccount, EventID

Sysmon
| where EventID == 1
| where CommandLine has_any ("net user","New-LocalUser","dsadd","dsmod")
| project TimeGenerated, Computer, User, CommandLine

EQL

iam where event.code in ("4720","4722","4724","4726","4738")

sequence by host.name with maxspan=10m
  [ any where event.code == "4720" ]
  [ authentication where event.code == "4624" ]

Sigma

title: User Changes Detection
id: 5f2d3a81-user-changes
status: experimental
description: Detects creation and modification of user accounts
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4720
      - 4722
      - 4724
      - 4726
      - 4738
  condition: selection
fields:
  - EventID
  - TargetAccount
falsepositives:
  - Legitimate administration
level: high
tags:
  - attack.persistence
  - attack.t1136

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Alert on user creation	Immediate review	Critical	High-confidence signal
Protect admin accounts	Restrict who can modify users	Critical	Reduce abuse
Baseline dormant accounts	Detect unusual enablement	High	Strong anomaly detection
Correlate with logons	Catch operational use	Critical	Confirms attacker intent
Central audit retention	Preserve account timeline	High	Supports full reconstruction