T1136 - Create Account

Description from ATT&CK

Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
The net user commands can be used to create a local or domain account.

How to Detect

Simulating the attack

useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}

useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}

Data sources required to detect the attack

/var/log/secure with "useradd" and "userdel"

Splunk Queries to detect the attack

index=main source="/var/log/secure" eventtype=useradd | table user,host,src, UID, GID

index=linux source="/var/log/secure" eventtype=userdel delete| table user,host

Root Account Creation: index=linux source="/var/log/secure" eventtype=useradd UID=0 OR GID=0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T1136.md

T1136.md

T1136 - Create Account

Description from ATT&CK

How to Detect

Simulating the attack

Data sources required to detect the attack

Splunk Queries to detect the attack

Caution/Caveat

Files

T1136.md

Latest commit

History

T1136.md

File metadata and controls

T1136 - Create Account

Description from ATT&CK

How to Detect

Simulating the attack

Data sources required to detect the attack

Splunk Queries to detect the attack

Caution/Caveat