CircleCI Atomic Red Team doc generator
2.1 KiB
2.1 KiB
T1136 - Create Account
Description from ATT&CK
Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.The
net usercommands can be used to create a local or domain account.Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
Platforms: Linux, macOS, Windows
Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs
Permissions Required: Administrator
Atomic Tests
Atomic Test #1 - Create a user account on a Linux system
Create a user via useradd
Supported Platforms: Linux
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | evil_user |
| comment | Comment to record when creating the user | String | Evil Account |
Run it with bash!
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
Atomic Test #2 - Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
Supported Platforms: macOS
Run it with bash!
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}