Insider Threat Matrix™Insider Threat Matrix™
  • ID: PR042
  • Created: 06th July 2026
  • Updated: 06th July 2026
  • MITRE ATT&CK®: T1136T1136.001T1136.002T1136.003
  • Contributor: The ITM Team

Account Creation

A subject creates a new user account that may enable later access, privilege misuse, persistence, policy circumvention, or unauthorized activity. The account may be created on a local system, within a directory service, inside a cloud identity environment, or directly within an application or software-as-a-service platform.

 

Account creation may occur through legitimate administrative permissions, service desk workflows, onboarding processes, break-glass procedures, cloud consoles, or application administration functions. It becomes preparatory when the account is unnecessary, undocumented, excessive, outside the subject’s role requirements, retained beyond an approved purpose, or positioned for later use outside normal identity governance processes.

Subsections (4)

ID Name Description
PR042.004Application Account Creation

A subject creates a user account directly within an enterprise application, internal platform, business system, or software-as-a-service environment. Application accounts may provide access to records, workflows, administrative functions, customer data, financial data, support tools, or operational processes managed inside that application.

 

Application accounts may be created through application administration consoles, SaaS management portals, support interfaces, local user stores, application programming interfaces, or built-in provisioning features. The account’s access may be shaped by application-specific roles, permissions, approval authority, data scope, workflow privileges, and administrative capabilities.

PR042.003Cloud User Account Creation

A subject creates a user account within a cloud identity provider, cloud tenant, or cloud infrastructure environment. Cloud accounts may provide access to cloud services, management consoles, storage resources, workloads, applications, identity permissions, and administrative functions.

 

Cloud user accounts may be created through cloud portals, identity provider administration consoles, application programming interfaces, command-line tools, infrastructure-as-code workflows, or automated provisioning processes. The account’s access may be shaped by assigned roles, groups, licenses, conditional access scope, application permissions, and tenant-level privileges.

PR042.002Domain User Account Creation

A subject creates a user account within a centralized directory service, such as Active Directory, Lightweight Directory Access Protocol (LDAP), or another enterprise identity directory. Domain accounts may provide access across multiple systems, applications, file shares, administrative services, and enterprise workflows.

 

Domain user accounts may be created through directory administration tools, identity management platforms, service desk workflows, scripts, or administrative command-line utilities. The account’s access is shaped by group membership, organizational unit placement, directory attributes, access policies, and assigned permissions.

PR042.001Local User Account Creation

A subject creates a local user account on an endpoint, server, appliance, or standalone system. Local accounts authenticate directly to the system on which they are created and may provide access without relying on centralized directory, cloud, or federated identity controls.

 

Local user accounts may be created through operating system utilities, administrative consoles, scripts, endpoint management tools, or direct modification of local account stores. Depending on configuration, the account may provide interactive login, remote access, local administrator rights, or access to locally hosted services and data.