Skip to content

T1136.002 Domain Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Item Value
ID T1136.002
Sub-techniques T1136.001, T1136.002, T1136.003
Tactics TA0003
Platforms Linux, Windows, macOS
Permissions required Administrator
Version 1.0
Created 28 January 2020
Last Modified 23 March 2020

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.9
S0363 Empire Empire has a module for creating a new domain user if permissions allow.4
G0093 GALLIUM GALLIUM created high-privileged domain user accounts to maintain access to victim networks.78
G0125 HAFNIUM HAFNIUM has created domain accounts.6
S0039 Net The net user username \password \domain commands in Net can be used to create a domain account.2
S0029 PsExec PsExec has the ability to remotely create accounts on target systems.3
S0192 Pupy Pupy can user PowerView to execute “net user” commands and create domain accounts.5
G0034 Sandworm Team Sandworm Team has created new domain accounts on an ICS access server.9


ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication for user and privileged accounts.
M1030 Network Segmentation Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
M1028 Operating System Configuration Protect domain controllers by ensuring proper security configuration for critical servers.
M1026 Privileged Account Management Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0002 User Account User Account Creation