Skip to content

Latest commit

 

History

History
119 lines (85 loc) · 3.63 KB

T1136.md

File metadata and controls

119 lines (85 loc) · 3.63 KB
Raw

T1136 - Create Account

Description from ATT&CK

Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

The net user commands can be used to create a local or domain account.

Atomic Tests


Atomic Test #1 - Create a user account on a Linux system

Create a user via useradd

Supported Platforms: Linux

Inputs

Name Description Type Default Value
username Username of the user to create String evil_user
comment Comment to record when creating the user String Evil Account

Run it with bash!

useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}


Atomic Test #2 - Create a user account on a MacOS system

Creates a user on a MacOS system with dscl

Supported Platforms: macOS

Inputs

Name Description Type Default Value
username Username of the user to create String evil_user
realname 'realname' to record when creating the user String Evil Account

Run it with bash!

dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}


Atomic Test #3 - Create a new user in a command prompt

Creates a new user in a command prompt

Supported Platforms: Windows

Inputs

Name Description Type Default Value
username Username of the user to create String Evil Account

Run it with command_prompt!

net user /add #{username}


Atomic Test #4 - Create a new user in PowerShell

Creates a new user in PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
username Username of the user to create String Evil Account

Run it with powershell!

New-LocalUser -Name #{username} -NoPassword
net user /add #{username}


Atomic Test #5 - Create a new user in Linux with root UID and GID.

Creates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.

Supported Platforms: Linux

Inputs

Name Description Type Default Value
username Username of the user to create String butter
password Password of the user to create String BetterWithButter

Run it with bash!

useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}