This event, logged to the Security channel, indicates a new user account was created on the endpoint.
Note
In windows XP, the corresponding Event ID is 624.
- Behavioral - Persistence (TA0003)
- Account - Creation Time
- Account - Logon ID
- Account - Security Identifier (SID)
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
%SystemRoot%\System32\Winevt\Logs\Security.evtx
The following fields may be interpreted from this artifact:
| Field Name | Interpretation |
|---|---|
| Subject / Security ID | SID of account that created the new account |
| Subject / Account Name | Account name of account that created the new account |
| Subject / Logon ID | Logon ID of session for account that created the new account |
| New Account / Security ID | SID of the new account |
| New Account / Account Name | Name of the new account |
Note
The SID may be translated by event viewer. To view the raw SID, look at the event's XML data, which has the following fields available:
When parsing the event's XML data:
| XML Path | Interpretation |
|---|---|
| EventData/TargetUserName | New account name |
| EventData/TargetSid | New account SID |
| EventData/SubjectUserSid | SID of account that created the new account |
| EventData/SubjectUserName | Account name of account that created the new account |
| EventData/SubjectLogonId | Logon ID of session for account that created the new account |