1. Home
  2. Techniques
  3. Enterprise
  4. Create Account
  5. Local Account

Create Account: Local Account

ID Name
T1136.001 Local Account
T1136.002 Domain Account
T1136.003 Cloud Account

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, or to Kubernetes clusters using the kubectl utility.[1][2]

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.001
Sub-technique of:  T1136
Tactic: Persistence
Platforms: Containers, Linux, Network, Windows, macOS
Contributors: Austin Clark, @c2defense
Version: 1.3
Created: 28 January 2020
Last Modified: 16 October 2023

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to create or enable accounts, such as support_388945a0.[3]
G0087 APT39

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[4]
G0096 APT41

APT41 has created user accounts.[5]

G1023 APT5

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.[6]
S0274 Calisto

Calisto has the capability to add its own account to the victim's machine.[7]
S0030 Carbanak

Carbanak can create a Windows account.[8]
S1111 DarkGate

DarkGate creates a local user account, SafeMode, via net user commands.[9]
G0035 Dragonfly

Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[10]
S0363 Empire

Empire has a module for creating a local user if permissions allow.[11]
G1016 FIN13

FIN13 has created MS-SQL local accounts in a compromised network.[12]
S0143 Flame

Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[13][14]
G0117 Fox Kitten

Fox Kitten has created a local user account with administrator privileges.[15]
S0493 GoldenSpy

GoldenSpy can create new users on an infected system.[16]

S0394 HiddenWasp

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[17]
S0601 Hildegard

Hildegard has created a user named "monerodaemon".[18]
G0094 Kimsuky

Kimsuky has created accounts with net user.[19]
G0077 Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[20]
G0059 Magic Hound

Magic Hound has created local accounts named help and DefaultAccount on compromised machines.[21][22]
S0084 Mis-Type

Mis-Type may create a temporary user on the system named Lost_{Unique Identifier}.[23]
S0039 Net

The net user username \password commands in Net can be used to create a local account.[24]
S0192 Pupy

Pupy can user PowerView to execute "net user" commands and create local system accounts.[25]
S0085 S-Type

S-Type may create a temporary user on the system named Lost_{Unique Identifier} with the password pond~!@6"{Unique Identifier}.[23]
S0382 ServHelper

ServHelper has created a new user named "supportaccount".[26]
S0649 SMOKEDHAM

SMOKEDHAM has created user accounts.[27]
G0139 TeamTNT

TeamTNT has created local privileged users on victim machines.[28]
G0102 Wizard Spider

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.[29]
S0412 ZxShell

ZxShell has a feature to create local user accounts.[30]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.
M1026 Privileged Account Management

Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, dscl -create, and kubectl create serviceaccount.
DS0009 Process Process Creation

Monitor newly executed processes associated with account creation, such as net.exe

Analytic 1 - Create local admin accounts using net.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= C:\Windows\System32\net.exe OR Image= C:\Windows\System32\net1.exe ) AND CommandLine = * -exportPFX * )
DS0002 User Account User Account Creation

Monitor for newly constructed user and service accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network, a Kubernetes cluster, or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

References

  1. Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.
  2. Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.
  3. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  4. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  5. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  6. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  7. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  8. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  9. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  10. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  11. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  12. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  13. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  14. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  15. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  1. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  2. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  4. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  5. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  6. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  7. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  8. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  9. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  11. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  12. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  13. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  14. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  15. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.