| ID | Name |
|---|---|
| T1098.001 | Additional Cloud Credentials |
| T1098.002 | Additional Email Delegate Permissions |
| T1098.003 | Additional Cloud Roles |
| T1098.004 | SSH Authorized Keys |
| T1098.005 | Device Registration |
| T1098.006 | Additional Container Cluster Roles |
| T1098.007 | Additional Local or Domain Groups |
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups.[1][2] On Linux, adversaries may use the usermod command for the same purpose.[3]
For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.[4] On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges.
In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.[5]
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 |
APT3 has been known to add created accounts to local admin groups to maintain elevated access.[6] |
| G0096 | APT41 |
APT41 has added user accounts to the User and Admin groups.[7] |
| G1023 | APT5 |
APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[8] |
| S1111 | DarkGate |
DarkGate elevates accounts created through the malware to the local administration group during execution.[9] |
| G0035 | Dragonfly |
Dragonfly has added newly created accounts to the administrators group to maintain elevated access.[10] |
| G1016 | FIN13 |
FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.[11] |
| G0094 | Kimsuky |
Kimsuky has added accounts to specific groups with |
| G0059 | Magic Hound |
Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.[13] |
| S0039 | Net |
The |
| S0382 | ServHelper |
ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.[14] |
| S0649 | SMOKEDHAM |
SMOKEDHAM has added user accounts to local Admin groups.[15] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0002 | User Account | User Account Modification |
Monitor events for changes to account objects and/or permissions on systems and the domain. Monitor for modification of account permissions in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts or machine accounts being unexpectedly added into security groups. Monitor for accounts assigned to admin roles, such as Windows domain administrators, that go over a certain threshold of known admins. |