1. Home
  2. Techniques
  3. Enterprise
  4. Create Account
  5. Domain Account

Create Account: Domain Account

ID Name
T1136.001 Local Account
T1136.002 Domain Account
T1136.003 Cloud Account

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.[1]

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.002
Sub-technique of:  T1136
Tactic: Persistence
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 28 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. [2]
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.[3]
G1043 BlackByte

BlackByte created privileged domain accounts during intrusions.[4]
S0363 Empire

Empire has a module for creating a new domain user if permissions allow.[5]
G0093 GALLIUM

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[6][7]
G0125 HAFNIUM

HAFNIUM has created domain accounts.[8][9]
G1051 Medusa Group

Medusa Group has created a domain account within the victim environment.[10]
S0039 Net

The net user username \password \domain commands in Net can be used to create a domain account.[1]
S0029 PsExec

PsExec has the ability to remotely create accounts on target systems.[11]
S0192 Pupy

Pupy can user PowerView to execute "net user" commands and create domain accounts.[12]
G0102 Wizard Spider

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.[13]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.
M1030 Network Segmentation

Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
M1028 Operating System Configuration

Protect domain controllers by ensuring proper security configuration for critical servers.
M1026 Privileged Account Management

Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms AN0006

Adversary uses built-in tools such as 'net user /add /domain' or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.
AN0007

Adversary with access to domain management tools (e.g., realmd, samba-tool, ldapmodify) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.
AN0008

macOS clients joined to AD via LDAP may script account provisioning via dsconfigad, dscl, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.

References

  1. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  2. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  3. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  4. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  5. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  6. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  7. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  1. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  2. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  3. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  4. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  5. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  6. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.