Create Account
ID: T1136 Tactic: Persistence
Last updated
ID: T1136 Tactic: Persistence
Last updated
Adversaries with sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system
In cloud environments, adversaries may create accounts that only have acccess to specific services, which can reduce the chance of detection.
The net user commands can be used to create a local or domain account.
An adversary with access to Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office365 tenant.
There are various tools that have modules for creating and account with predetermined passwords such as "joe Password1!" from Empire or other's that use hacker Password123 here is the command line for a simple syntax to add a user
net user username password /add
This only works with the proper permissions of course such as Admin if we use a low level userwe will get an Access denied this part of persistence is usually done after some for of Privesc has been taken or a user with the required permission:
Administrator:
Remember to add the user to the Administrator Group or this will just be created as a Local Account with no Admin privileges
net localgroup Administrators hacker /add
Powershell: Add-LocalGroupMember -Group Administrators -Member hacker
This will ensure that the new created user is an Administrator and doesn't receive no Prompt's when running in High Privileges.
