| ID | Name |
|---|---|
| T1136.001 | Local Account |
| T1136.002 | Domain Account |
| T1136.003 | Cloud Account |
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 |
APT3 has been known to create or enable accounts, such as |
| G0087 | APT39 |
APT39 has created accounts on multiple compromised hosts to perform actions within the network.[2] |
| G0096 | APT41 |
APT41 created user accounts and adds them to the User and Admin groups.[3] |
| S0274 | Calisto |
Calisto has the capability to add its own account to the victim's machine.[4] |
| S0030 | Carbanak | |
| G0074 | Dragonfly 2.0 |
Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[6][7] |
| S0363 | Empire |
Empire has a module for creating a local user if permissions allow.[8] |
| S0143 | Flame |
Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[9][10] |
| G0117 | Fox Kitten |
Fox Kitten has created a local user account with administrator privileges.[11] |
| S0493 | GoldenSpy | |
| S0394 | HiddenWasp |
HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[13] |
| S0601 | Hildegard | |
| G0077 | Leafminer |
Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[15] |
| S0084 | Mis-Type |
Mis-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}."[16] |
| S0039 | Net |
The |
| S0192 | Pupy |
Pupy can user PowerView to execute "net user" commands and create local system accounts.[18] |
| S0085 | S-Type |
S-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}" with the password "pond~!@6"{{Unique Identifier}}."[16] |
| S0382 | ServHelper |
ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.[19] |
| S0649 | SMOKEDHAM |
SMOKEDHAM has created user accounts and added them to local Admin groups.[20] |
| G0139 | TeamTNT |
TeamTNT has created local privileged users on victim machines.[21] |
| S0412 | ZxShell |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
| M1026 | Privileged Account Management |
Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
| DS0002 | User Account | User Account Creation |
Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. [23] Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.