T1136.002 Domain Account
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
| Item | Value |
|---|---|
| ID | T1136.002 |
| Sub-techniques | T1136.001, T1136.002, T1136.003 |
| Tactics | TA0003 |
| Platforms | Linux, Windows, macOS |
| Permissions required | Administrator |
| Version | 1.0 |
| Created | 28 January 2020 |
| Last Modified | 23 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack | During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.9 |
| S0363 | Empire | Empire has a module for creating a new domain user if permissions allow.4 |
| G0093 | GALLIUM | GALLIUM created high-privileged domain user accounts to maintain access to victim networks.78 |
| G0125 | HAFNIUM | HAFNIUM has created domain accounts.6 |
| S0039 | Net | The net user username \password \domain commands in Net can be used to create a domain account.2 |
| S0029 | PsExec | PsExec has the ability to remotely create accounts on target systems.3 |
| S0192 | Pupy | Pupy can user PowerView to execute “net user” commands and create domain accounts.5 |
| G0034 | Sandworm Team | Sandworm Team has created new domain accounts on an ICS access server.9 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. |
| M1030 | Network Segmentation | Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| M1028 | Operating System Configuration | Protect domain controllers by ensuring proper security configuration for critical servers. |
| M1026 | Privileged Account Management | Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
| DS0002 | User Account | User Account Creation |
References
-
Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017. ↩
-
Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. ↩
-
Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. ↩↩