Account Created

Windows Event ID: 4720

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Account creation logs can indicate a suspicious new account that was created in preparation for an attack or someone trying to do things they necessarily shouldn’t. It is also a good idea to know when there may be new users on the network so you are prepared for their activity. This log is required by NIST SP 800-53, HIPAA and PCI DSS regulations. It is also recommended under the NSA Cyber Event Forwarding Guidance.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4720'}

Check Logging Status

auditpol /get /subcategory:"computer account management"

Disable Logging

auditpol /set /subcategory:"computer account management" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable

Language: Powershell

Back to Windows

Compliance

HIPAA

Level: Recommended

URL here

PCI DSS

Level: Required

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

NIST SP 800-53

Level: Recommended

URL here

Windows 10 Professional logs this by default. To view, navigate to the security tab of the Windows Event Viewer. Sort or filter the logs for event ID 4720.

To view this log in the command line with Get-WinEvent, run powershell as an administrator. Enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4720'}

To view this log in the command line with wevt, run the command prompt or powershell as an administrator. Enter the command wevtutil qe Security "/q:*[System [(EventID=4720)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf