T1098: Account Manipulation

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.

Demo

When an adversary has sufficient permissions on the System usually a method for persistence which can be caught easily but still an effective method is to change the permissions of a group or simple it's permissions from that we can use the net.exe tool to add a user onto the machine and into the Administrators Group in this example it will be a local account and not a domain account

The Adrian Local Account will be added to the Administrators Group with the right permission

And we see that the user already has Administrators permissions, this technique thought reliable and easy to catch, sometimes it flies under the Radar because of Default accounts on the Windows System that a normal user won't even think twice about it.

PreviousSystemd Timers NextSSH Authorized Keys

Last updated 1 month ago