Create Account: Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.001
Sub-technique of:  T1136
Tactic: Persistence
Platforms: Linux, Windows, macOS
Permissions Required: Administrator
Version: 1.1
Created: 28 January 2020
Last Modified: 12 August 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to create or enable accounts, such as support_388945a0.[1]

G0087 APT39

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[2]

G0096 APT41

APT41 created user accounts and adds them to the User and Admin groups.[3]

S0274 Calisto

Calisto has the capability to add its own account to the victim's machine.[4]

S0030 Carbanak

Carbanak can create a Windows account.[5]

G0074 Dragonfly 2.0

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[6][7]

S0363 Empire

Empire has a module for creating a local user if permissions allow.[8]

S0143 Flame

Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[9][10]

G0117 Fox Kitten

Fox Kitten has created a local user account with administrator privileges.[11]

S0493 GoldenSpy

GoldenSpy can create new users on an infected system.[12]

S0394 HiddenWasp

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[13]

S0601 Hildegard

Hildegard has created a user named "monerodaemon".[14]

G0077 Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[15]

S0084 Mis-Type

Mis-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}."[16]

S0039 Net

The net user username \password commands in Net can be used to create a local account.[17]

S0192 Pupy

Pupy can user PowerView to execute "net user" commands and create local system accounts.[18]

S0085 S-Type

S-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}" with the password "pond~!@6"{{Unique Identifier}}."[16]

S0382 ServHelper

ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.[19]

S0649 SMOKEDHAM

SMOKEDHAM has created user accounts and added them to local Admin groups.[20]

G0139 TeamTNT

TeamTNT has created local privileged users on victim machines.[21]

S0412 ZxShell

ZxShell has a feature to create local user accounts.[22]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1026 Privileged Account Management

Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0002 User Account User Account Creation

Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. [23] Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.

References