Account Manipulation: Additional Local or Domain Groups

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.

On Windows, accounts may use the net localgroup and net group commands to add existing users to local and domain groups.[1][2] On Linux, adversaries may use the usermod command for the same purpose.[3]

For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.[4] On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges.

In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.[5]

ID: T1098.007
Sub-technique of:  T1098
Platforms: Linux, Windows, macOS
Contributors: Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
Version: 1.0
Created: 05 August 2024
Last Modified: 14 October 2024

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to add created accounts to local admin groups to maintain elevated access.[6]

G0096 APT41

APT41 has added user accounts to the User and Admin groups.[7]

G1023 APT5

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[8]

S1111 DarkGate

DarkGate elevates accounts created through the malware to the local administration group during execution.[9]

G0035 Dragonfly

Dragonfly has added newly created accounts to the administrators group to maintain elevated access.[10]

G1016 FIN13

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.[11]

G0094 Kimsuky

Kimsuky has added accounts to specific groups with net localgroup.[12]

G0059 Magic Hound

Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.[13]

S0039 Net

The net localgroup and net group commands in Net can be used to add existing users to local and domain groups.[1] [2]

S0382 ServHelper

ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.[14]

S0649 SMOKEDHAM

SMOKEDHAM has added user accounts to local Admin groups.[15]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0002 User Account User Account Modification

Monitor events for changes to account objects and/or permissions on systems and the domain. Monitor for modification of account permissions in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts or machine accounts being unexpectedly added into security groups. Monitor for accounts assigned to admin roles, such as Windows domain administrators, that go over a certain threshold of known admins.

References