Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
net user commands can be used to create a local or domain account.
|Multi factor Authentication||Use multi-factor authentication for user and privileged accounts.|
|Network Segmentation||Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.|
|Operating System Configuration||Protect domain controllers by ensuring proper security configuration for critical servers.|
|Privileged Account Management||Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.|
Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller.  Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.