1. Home
  2. Techniques
  3. Enterprise
  4. Create Account
  5. Domain Account

Create Account: Domain Account

ID Name
T1136.001 Local Account
T1136.002 Domain Account
T1136.003 Cloud Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.[1]

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.002
Sub-technique of:  T1136
Tactic: Persistence
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 28 January 2020
Last Modified: 01 February 2024
Version Permalink

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. [2]
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.[3]
S0363 Empire

Empire has a module for creating a new domain user if permissions allow.[4]
G0093 GALLIUM

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[5][6]
G0125 HAFNIUM

HAFNIUM has created domain accounts.[7]
S0039 Net

The net user username \password \domain commands in Net can be used to create a domain account.[1]
S0029 PsExec

PsExec has the ability to remotely create accounts on target systems.[8]
S0192 Pupy

Pupy can user PowerView to execute "net user" commands and create domain accounts.[9]
G0102 Wizard Spider

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.[10]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.
M1030 Network Segmentation

Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
M1028 Operating System Configuration

Protect domain controllers by ensuring proper security configuration for critical servers.
M1026 Privileged Account Management

Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.
DS0009 Process Process Creation

Monitor newly executed processes associated with account creation, such as net.exe
DS0002 User Account User Account Creation

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

References

  1. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  2. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  3. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  4. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  5. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  1. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  2. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  3. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.