Create Account: Доменная учетная запись
Other sub-techniques of Create Account (3)
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain
command can be used to create a domain account.(Citation: Savill 1999)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Примеры процедур |
|
Название | Описание |
---|---|
Pupy |
Pupy can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy) |
GALLIUM |
GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. (Citation: Booz Allen Hamilton) |
|
Sandworm Team |
Sandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018) |
Wizard Spider |
Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.(Citation: Mandiant FIN12 Oct 2021) |
PsExec |
PsExec has the ability to remotely create accounts on target systems.(Citation: NCC Group Fivehands June 2021) |
Net |
The |
During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.(Citation: Dragos Crashoverride 2018) |
|
HAFNIUM |
HAFNIUM has created domain accounts.(Citation: Volexity Exchange Marauder March 2021) |
Empire |
Empire has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain
. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.
Ссылки
- Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС
из-за
возможности создания учетной записи
в ОС Windows
Повышение привилегий
НСД
|
|
|
Закрепление злоумышленника в ОС
из-за
возможности создания учетной записи
в ОС Linux
Повышение привилегий
НСД
|
1
|
|
Закрепление злоумышленника в домене
из-за
возможности создания учетной записи
в доменных службах Active Directory
Повышение привилегий
Целостность
НСД
|
|
|
Закрепление злоумышленника в облачной инфраструктуре
из-за
возможности создания учетной записи
в облачном сервисе
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.