Create Account: Local Account
Other sub-techniques of Create Account (3)
ID | Name |
---|---|
T1136.001 | Local Account |
T1136.002 | Domain Account |
T1136.003 | Cloud Account |
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add
command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Procedure Examples
Name | Description |
---|---|
APT3 |
APT3 has been known to create or enable accounts, such as |
APT39 |
APT39 has created accounts on multiple compromised hosts to perform actions within the network.[2] |
APT41 |
APT41 created user accounts and adds them to the User and Admin groups.[3] |
Calisto |
Calisto has the capability to add its own account to the victim's machine.[4] |
Carbanak | |
Dragonfly 2.0 |
Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[6][7] |
Empire |
Empire has a module for creating a local user if permissions allow.[8] |
Flame |
Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[9][10] |
GoldenSpy | |
HiddenWasp |
HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[12] |
Leafminer |
Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[13] |
Mis-Type |
Mis-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}."[14] |
Net |
The |
Pupy |
Pupy can user PowerView to execute "net user" commands and create local system accounts.[16] |
S-Type |
S-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}" with the password "pond~!@6"{{Unique Identifier}}."[14] |
ServHelper |
ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.[17] |
ZxShell |
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
Privileged Account Management |
Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. |
Detection
Monitor for processes and command-line parameters associated with local account creation, such as net user /add
or useradd
. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. [19] Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.
References
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuiceā¦. Retrieved March 1, 2017.
- Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.