Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Доменная учетная запись
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Доменная учетная запись
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Create Account:  Доменная учетная запись

ID Название
.001 Локальная учетная запись
.002 Доменная учетная запись
.003 Облачная учетная запись

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ID: T1136.002
Относится к технике:  T1136
Тактика(-и): Persistence
Платформы: Linux, macOS, Windows
Требуемые разрешения: Administrator
Источники данных: Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Версия: 1.0
Дата создания: 28 Jan 2020
Последнее изменение: 23 Mar 2020

Примеры процедур
Название Описание
Pupy

Pupy can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy)
GALLIUM

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
Sandworm Team

Sandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018)
PsExec

PsExec has the ability to remotely create accounts on target systems.(Citation: NCC Group Fivehands June 2021)
Net

The net user username \password \domain commands in Net can be used to create a domain account.(Citation: Savill 1999)
HAFNIUM

HAFNIUM has created and granted privileges to domain accounts.(Citation: Volexity Exchange Marauder March 2021)
Empire

Empire has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire)

Контрмеры
Контрмера Описание
Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.

Ссылки

  1. Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
  2. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  3. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  4. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  5. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  6. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  7. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  8. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.