This investigation involved simulating and analyzing suspicious account creation and credential manipulation activity on a Windows system. The objective was to detect unauthorized user account creation behavior, correlate related authentication events, and reconstruct the activity flow using Windows Security Event Logs.

Windows Security Event Logs

Event ID analysis (4720, 4724, 4624)

Log correlation techniques

Basic timeline reconstruction methods

1. Initial Log Review I began by analyzing Windows Security Event Logs to identify abnormal account-related activity, focusing on user creation and credential modification events.

2. Detection of Account Creation Event An instance of Event ID 4720 (user account created) was identified, indicating the creation of a new local user account on the system.

This event was flagged for further investigation due to lack of contextual user activity.

3. Detection of Credential Modification Activity Following the account creation event, Event ID 4724 (attempt to reset user password) was observed, suggesting credential manipulation activity potentially linked to unauthorized access preparation.

4. Correlation with Logon Activity A subsequent Event ID 4624 (successful logon) was detected associated with the newly created account, indicating that the account was actively used after creation.

This strengthened suspicion of unauthorized or abnormal account usage.

5. Activity Pattern Validation The sequence of events showed:

New account creation without prior baseline activity

Immediate credential modification attempt

Successful login using the same account

No legitimate administrative context observed in the activity chain

This pattern was consistent with potential privilege misuse or unauthorized account provisioning.

New local user account created (Event ID 4720)

Credential modification attempt detected (Event ID 4724)

Successful authentication using newly created account (Event ID 4624)

No evidence of a legitimate administrative account creation workflow

Activity sequence suggests potential privilege abuse or unauthorized access setup

New local user account created on the system

Credential modification activity observed

Account used for successful authentication

Session established using the newly created account

T1136 – Create Account

T1078 – Valid Accounts

T1110 – Brute Force (possible credential access context, if applicable)

This controlled investigation demonstrated how unauthorized account creation and credential manipulation activity can be identified through Windows Security Event Log analysis and event correlation.

The sequence of events highlighted a potential privilege abuse scenario, where a newly created account was immediately used for system access without a legitimate administrative context.

This case study demonstrates my ability to analyze Windows authentication and account management logs, correlate security events, and identify patterns consistent with privilege abuse or unauthorized account creation scenarios using structured SOC investigation techniques.