Create Account: Локальная учетная запись
Other sub-techniques of Create Account (3)
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add
command can be used to create a local account. On macOS systems the dscl -create
command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Примеры процедур |
|
Название | Описание |
---|---|
HiddenWasp |
HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.(Citation: Intezer HiddenWasp Map 2019) |
GoldenSpy |
GoldenSpy can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020) |
Empire |
Empire has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire) |
Dragonfly |
Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A) |
TeamTNT |
TeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020) |
Fox Kitten |
Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020) |
SMOKEDHAM |
SMOKEDHAM has created user accounts and added them to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021) |
APT41 |
APT41 created user accounts and adds them to the User and Admin groups.(Citation: FireEye APT41 Aug 2019) |
Flame |
Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality) |
ServHelper |
ServHelper has created a new user and added it to the "Remote Desktop Users" and "Administrators" groups.(Citation: Proofpoint TA505 Jan 2019) |
Kimsuky |
Kimsuky has created accounts with |
Pupy |
Pupy can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub Pupy) |
S-Type |
S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.(Citation: Cylance Dust Storm) |
Net |
The |
Mis-Type |
Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.(Citation: Cylance Dust Storm) |
Magic Hound |
Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022) |
Carbanak |
Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017) |
Leafminer |
Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citation: Symantec Leafminer July 2018) |
APT39 |
APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020) |
Hildegard |
Hildegard has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware) |
ZxShell |
ZxShell has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014) |
APT3 |
APT3 has been known to create or enable accounts, such as |
Dragonfly 2.0 |
Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
Calisto |
Calisto has the capability to add its own account to the victim's machine.(Citation: Symantec Calisto July 2018) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
Monitor for processes and command-line parameters associated with local account creation, such as net user /add
, useradd
, and dscl -create
. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.
Ссылки
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
- KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
- Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
- ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Windows
Повышение привилегий
НСД
|
|
|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Linux
Повышение привилегий
НСД
|
1
|
|
Закрепление злоумышленника в домене из-за
возможности создания учетной записи в доменных службах Active Directory
Повышение привилегий
Целостность
НСД
|
|
|
Закрепление злоумышленника в облачной инфраструктуре из-за
возможности создания учетной записи в облачном сервисе
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.