📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page
  • Windows
  • Office 365

Was this helpful?

  1. Persistence

Create Account

ID: T1136 Tactic: Persistence

PreviousScheduled TasksNextDLL Search Order Hijacking

Last updated 5 years ago

Was this helpful?

Adversaries with sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system

In cloud environments, adversaries may create accounts that only have acccess to specific services, which can reduce the chance of detection.

Windows

The net user commands can be used to create a local or domain account.

Office 365

An adversary with access to Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office365 tenant.

There are various tools that have modules for creating and account with predetermined passwords such as "joe Password1!" from Empire or other's that use hacker Password123 here is the command line for a simple syntax to add a user

net user username password /add

This only works with the proper permissions of course such as Admin if we use a low level userwe will get an Access denied this part of persistence is usually done after some for of Privesc has been taken or a user with the required permission:

Administrator:

Remember to add the user to the Administrator Group or this will just be created as a Local Account with no Admin privileges

net localgroup Administrators hacker /add

Powershell: Add-LocalGroupMember -Group Administrators -Member hacker

This will ensure that the new created user is an Administrator and doesn't receive no Prompt's when running in High Privileges.

Low-Level user
Login for hacker