Skip to content

Latest commit

 

History

History
203 lines (110 loc) · 5.16 KB

T1136.md

File metadata and controls

203 lines (110 loc) · 5.16 KB
Raw

T1136 - Create Account

Description from ATT&CK

Adversaries with a sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

Windows

The net user commands can be used to create a local or domain account.

Office 365

An adversary with access to a Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office 365 tenant.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)

Atomic Tests


Atomic Test #1 - Create a user account on a Linux system

Create a user via useradd

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
username Username of the user to create String evil_user

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

useradd -M -N -r -s /bin/bash -c evil_account #{username}

Cleanup Commands:

userdel #{username}


Atomic Test #2 - Create a user account on a MacOS system

Creates a user on a MacOS system with dscl

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
username Username of the user to create String evil_user
realname 'realname' to record when creating the user String Evil Account

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}

Cleanup Commands:

dscl . -delete /Users/#{username}


Atomic Test #3 - Create a new user in a command prompt

Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
username Username of the user to create String T1136_CMD
password Password of the user to create String T1136_CMD!

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net user /add "#{username}" "#{password}"

Cleanup Commands:

net user /del "#{username}" >nul 2>&1


Atomic Test #4 - Create a new user in PowerShell

Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
username Username of the user to create String T1136_PowerShell

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-LocalUser -Name "#{username}" -NoPassword

Cleanup Commands:

Remove-LocalUser -Name "#{username}" -ErrorAction Ignore


Atomic Test #5 - Create a new user in Linux with root UID and GID.

Creates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
username Username of the user to create String butter
password Password of the user to create String BetterWithButter

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}

Cleanup Commands:

userdel #{username}