T1136.002 Domain Account
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the
net user /add /domain command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
|T1136.001, T1136.002, T1136.003
|Linux, Windows, macOS
|28 January 2020
|23 March 2020
|2016 Ukraine Electric Power Attack
|During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.9
|Empire has a module for creating a new domain user if permissions allow.4
|GALLIUM created high-privileged domain user accounts to maintain access to victim networks.78
|HAFNIUM has created domain accounts.6
net user username \password \domain commands in Net can be used to create a domain account.2
|PsExec has the ability to remotely create accounts on target systems.3
|Pupy can user PowerView to execute “net user” commands and create domain accounts.5
|Sandworm Team has created new domain accounts on an ICS access server.9
|Use multi-factor authentication for user and privileged accounts.
|Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
|Operating System Configuration
|Protect domain controllers by ensuring proper security configuration for critical servers.
|Privileged Account Management
|Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
|User Account Creation