Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the
net user /add /domain command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.
Empire has a module for creating a new domain user if permissions allow.
GALLIUM created high-privileged domain user accounts to maintain access to victim networks.
PsExec has the ability to remotely create accounts on target systems.
Pupy can user PowerView to execute "net user" commands and create domain accounts.
Sandworm Team has created new domain accounts on an ICS access server.
Use multi-factor authentication for user and privileged accounts.
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
|M1028||Operating System Configuration||
Protect domain controllers by ensuring proper security configuration for critical servers.
|M1026||Privileged Account Management||
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.
Monitor newly executed processes associated with account creation, such as net.exe
|DS0002||User Account||User Account Creation||
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).