What Is Event ID 4720?
Event ID 4720 is a Windows Security log event generated whenever a new user account is successfully created on a Windows system. You’ll typically find details like the account name, the account’s domain, who created it, and the time it was created.
In a healthy IT environment, you’ll see Event ID 4720 every now and then—new employees join the team, system administrators set up service accounts for certain applications, or you spin up temporary accounts for testing.
On the surface, nothing to worry about… right?
Why Could Event ID 4720 Be a Cybersecurity Threat?
Just because something looks normal doesn’t mean it is. Attackers who’ve gained initial access to your environment will often use legitimate-looking steps to deepen their hold. Creating a new account blends right in with the usual noise of business operations, but it can give them ongoing access and a launching pad for further compromise.
Here’s why you should pay attention:
- Persistence (and stealth): An attacker who creates a new account—especially one that mimics your internal naming conventions—can easily slip under the radar. This new account might have just enough privileges to move laterally, steal data, or launch more attacks without being noticed… at least, not right away.
- Privilege escalation: If the newly created account somehow gains admin-level privileges (or starts out that way), the intruder just unlocked a whole new world of malicious opportunities. With higher-level access, they can disable security tools, create backdoors, or exfiltrate sensitive data undetected.
- Insider threats: A disgruntled insider (or a well-intentioned but careless employee) might create accounts that bypass standard onboarding processes. These rogue accounts may end up being used for shadow IT projects or malicious activities that never get properly tracked.
Ways to Interpret Event ID 4720
Before you sound the alarm, first consider the broader context of the event:
- Frequency and timing: Is a sudden spike in new accounts popping up when no new hires have been onboarded recently? A cluster of unexpected accounts created late at night or outside regular IT maintenance windows could be a red flag.
- Who created the account?: Review which account initiated the creation. Was it a trusted administrator following standard procedure or a lower-privilege user who shouldn’t be able to create accounts?
- Naming conventions and patterns: Attackers often try to blend in, giving their newly created accounts names that look similar to existing ones. If something looks slightly off—like an account name close to a known system account but with a typo—it’s always worth investigating.
- Cross-referencing: Correlate Event ID 4720 with other security events. Are these new accounts appearing alongside suspicious logons (Event IDs like 4625 or 4626), unexpected permission changes, or attempts to access sensitive data?
Reducing Risk
Being proactive is key to preventing new, unauthorized accounts from slipping through the cracks.
Follow these steps to stay safe:
- Very strict access controls: Limit who can create accounts and what privileges new accounts can have. Implement role-based access control (RBAC) so that even if someone does create a new account, it starts with minimal rights.
- Multi-Factor Authentication (MFA): Require MFA for account creation or changes to critical accounts. An attacker might have a stolen password, but without a second factor, they’re stuck at the door.
- Regular audits: Periodically review user accounts to make sure every one of them aligns with a legitimate business need. Spotting and removing unnecessary accounts reduces your attack surface.
- Log monitoring and SIEM: Implement a Managed Security Information and Event Management (SIEM) solution to centralize logs, detect anomalies, and correlate Event ID 4720 with other suspicious activity.
Let Huntress Keep Watch
Finding meaningful signals among the countless events in your environment isn’t always straightforward. Event ID 4720 might look harmless, but watching out for when and why new accounts appear is vital for keeping your network secure.
Huntress managed security solutions continuously monitor your systems, giving context and clarity around events like user account creation. With Huntress Managed SIEM and Managed EDR, you don’t have to worry about missing subtle indicators of compromise or spending hours deciphering logs. We give you only what’s important, guide you toward effective remediation, and help you make sure that no unauthorized account slips through the cracks.
Ready to strengthen your defenses and boost your overall security posture? Schedule a free Huntress demo and see how easy it can be to keep your organization secure from even the sneakiest threats.
Protect What Matters
