Create Account: Local Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.001
Sub-technique of:  T1136
Tactic: Persistence
Platforms: Linux, Windows, macOS
Permissions Required: Administrator
Data Sources: Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Version: 1.0
Created: 28 January 2020
Last Modified: 23 March 2020

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to create or enable accounts, such as support_388945a0.[1]

G0087 APT39

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[2]

G0096 APT41

APT41 created user accounts and adds them to the User and Admin groups.[3]

S0274 Calisto

Calisto has the capability to add its own account to the victim's machine.[4]

S0030 Carbanak

Carbanak can create a Windows account.[5]

G0074 Dragonfly 2.0

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[6][7]

S0363 Empire

Empire has a module for creating a local user if permissions allow.[8]

S0143 Flame

Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[9][10]

G0117 Fox Kitten

Fox Kitten has created a local user account with administrator privileges.[11]

S0493 GoldenSpy

GoldenSpy can create new users on an infected system.[12]

S0394 HiddenWasp

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[13]

S0601 Hildegard

Hildegard has created a user named "monerodaemon".[14]

G0077 Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[15]

S0084 Mis-Type

Mis-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}."[16]

S0039 Net

The net user username \password commands in Net can be used to create a local account.[17]

S0192 Pupy

Pupy can user PowerView to execute "net user" commands and create local system accounts.[18]

S0085 S-Type

S-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}" with the password "pond~!@6"{{Unique Identifier}}."[16]

S0382 ServHelper

ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.[19]

S0412 ZxShell

ZxShell has a feature to create local user accounts.[20]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1026 Privileged Account Management

Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

Detection

Monitor for processes and command-line parameters associated with local account creation, such as net user /add or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. [21] Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.

References