Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Локальная учетная запись
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Локальная учетная запись
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Create Account:  Локальная учетная запись

ID Название
.001 Локальная учетная запись
.002 Доменная учетная запись
.003 Облачная учетная запись

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.001
Относится к технике:  T1136
Тактика(-и): Persistence
Платформы: Containers, ESXi, Linux, Network Devices, Windows, macOS
Источники данных: Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Версия: 1.4
Дата создания: 28 Jan 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Net

The net user username \password commands in Net can be used to create a local account.(Citation: Savill 1999)
Empire

Empire has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire)
Hildegard

Hildegard has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware)
S-Type

S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.(Citation: Cylance Dust Storm)
DarkGate

DarkGate creates a local user account, SafeMode, via net user commands.(Citation: Ensilo Darkgate 2018)
Carbanak

Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017)
SMOKEDHAM

SMOKEDHAM has created user accounts.(Citation: FireEye SMOKEDHAM June 2021)
ServHelper

ServHelper has created a new user named "supportaccount".(Citation: Proofpoint TA505 Jan 2019)
Calisto

Calisto has the capability to add its own account to the victim's machine.(Citation: Symantec Calisto July 2018)
GoldenSpy

GoldenSpy can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020)

Pupy

Pupy can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub Pupy)
ZxShell

ZxShell has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014)
Mis-Type

Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.(Citation: Cylance Dust Storm)
HiddenWasp

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.(Citation: Intezer HiddenWasp Map 2019)
Flame

Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)
Fox Kitten

Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020)
Indrik Spider

Indrik Spider has created local system accounts and has added the accounts to privileged groups.(Citation: Mandiant_UNC2165)
APT39

APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)
Dragonfly 2.0

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
Wizard Spider

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.(Citation: Mandiant FIN12 Oct 2021)
Dragonfly

Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)
FIN13

FIN13 has created MS-SQL local accounts in a compromised network.(Citation: Sygnia Elephant Beetle Jan 2022)
Kimsuky

Kimsuky has created accounts with net user.(Citation: KISA Operation Muzabi)
Magic Hound

Magic Hound has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021)
TeamTNT

TeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020)
APT5

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)
Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citation: Symantec Leafminer July 2018)
APT3

APT3 has been known to create or enable accounts, such as support_388945a0.(Citation: aptsim)
Daggerfly

Daggerfly created a local account on victim machines to maintain access.(Citation: Symantec Daggerfly 2023)
APT41

APT41 has created user accounts.(Citation: FireEye APT41 Aug 2019)

Контрмеры
Контрмера Описание
Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include: - *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans. Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures: Identity and Access Management (IAM): - Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). Authentication Tools and Methods: - Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications. Secure Legacy Systems: - Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins. Monitoring and Alerting: - Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations. Training and Policy Enforcement: - Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures: Account Permissions and Roles: - Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions. Credential Security: - Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO). Multi-Factor Authentication (MFA): - Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA. Privileged Access Management (PAM): - Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access. Auditing and Monitoring: - Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage. Just-In-Time Access: - Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions. *Tools for Implementation* Privileged Access Management (PAM): - CyberArk, BeyondTrust, Thycotic, HashiCorp Vault. Credential Management: - Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass. Multi-Factor Authentication: - Duo Security, Okta, Microsoft Azure MFA, Google Authenticator. Linux Privilege Management: - sudo configuration, SELinux, AppArmor. Just-In-Time Access: - Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Обнаружение

Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary. For network infrastructure devices, collect AAA logging to monitor for account creations.

Ссылки

  1. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  2. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  3. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  6. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  7. Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.
  8. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  9. Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.
  10. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  11. Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
  12. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  13. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  14. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  15. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  18. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  19. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  20. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  21. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  22. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  23. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  24. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  25. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  26. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  27. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  28. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  29. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  30. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  31. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  32. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  33. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  34. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.