Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Локальная учетная запись
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Локальная учетная запись
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Create Account:  Локальная учетная запись

ID Название
.001 Локальная учетная запись
.002 Доменная учетная запись
.003 Облачная учетная запись

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.001
Относится к технике:  T1136
Тактика(-и): Persistence
Платформы: Linux, macOS, Windows
Требуемые разрешения: Administrator
Источники данных: Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Версия: 1.1
Дата создания: 28 Jan 2020
Последнее изменение: 12 Aug 2021

Примеры процедур
Название Описание
HiddenWasp

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.(Citation: Intezer HiddenWasp Map 2019)
GoldenSpy

GoldenSpy can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020)

Empire

Empire has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire)
Dragonfly

Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)
TeamTNT

TeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020)
Fox Kitten

Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020)
SMOKEDHAM

SMOKEDHAM has created user accounts and added them to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021)
APT41

APT41 created user accounts and adds them to the User and Admin groups.(Citation: FireEye APT41 Aug 2019)

Flame

Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)
ServHelper

ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.(Citation: Proofpoint TA505 Jan 2019)
Kimsuky

Kimsuky has created accounts with net user.(Citation: KISA Operation Muzabi)
Pupy

Pupy can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub Pupy)
S-Type

S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.(Citation: Cylance Dust Storm)
Net

The net user username \password commands in Net can be used to create a local account.(Citation: Savill 1999)
Mis-Type

Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.(Citation: Cylance Dust Storm)
Magic Hound

Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022)
Carbanak

Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017)
Leafminer

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citation: Symantec Leafminer July 2018)
APT39

APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)
Hildegard

Hildegard has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware)
ZxShell

ZxShell has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014)
APT3

APT3 has been known to create or enable accounts, such as support_388945a0.(Citation: aptsim)
Dragonfly 2.0

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
Calisto

Calisto has the capability to add its own account to the victim's machine.(Citation: Symantec Calisto July 2018)

Контрмеры
Контрмера Описание
Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.

Ссылки

  1. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
  4. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  5. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  6. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  7. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  8. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  9. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  10. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  11. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  12. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  13. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  15. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  16. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  17. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  18. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  19. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  20. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  21. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  22. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  23. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  24. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  25. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.