Create Account: Доменная учетная запись
Other sub-techniques of Create Account (3)
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain
command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Примеры процедур |
|
Название | Описание |
---|---|
Pupy |
Pupy can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy) |
GALLIUM |
GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
Sandworm Team |
Sandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018) |
PsExec |
PsExec has the ability to remotely create accounts on target systems.(Citation: NCC Group Fivehands June 2021) |
Net |
The |
HAFNIUM |
HAFNIUM has created and granted privileges to domain accounts.(Citation: Volexity Exchange Marauder March 2021) |
Empire |
Empire has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain
. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.
Ссылки
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
- Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
- Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Windows
Повышение привилегий
НСД
|
|
|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Linux
Повышение привилегий
НСД
|
1
|
|
Закрепление злоумышленника в домене из-за
возможности создания учетной записи в доменных службах Active Directory
Повышение привилегий
Целостность
НСД
|
|
|
Закрепление злоумышленника в облачной инфраструктуре из-за
возможности создания учетной записи в облачном сервисе
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.