Create Account

ID: T1136 Tactic: Persistence

Adversaries with sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system

In cloud environments, adversaries may create accounts that only have acccess to specific services, which can reduce the chance of detection.

Windows

The net user commands can be used to create a local or domain account.

Office 365

An adversary with access to Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office365 tenant.

There are various tools that have modules for creating and account with predetermined passwords such as "joe Password1!" from Empire or other's that use hacker Password123 here is the command line for a simple syntax to add a user

net user username password /add

This only works with the proper permissions of course such as Admin if we use a low level userwe will get an Access denied this part of persistence is usually done after some for of Privesc has been taken or a user with the required permission:

Administrator:

Remember to add the user to the Administrator Group or this will just be created as a Local Account with no Admin privileges

net localgroup Administrators hacker /add

Powershell: Add-LocalGroupMember -Group Administrators -Member hacker

This will ensure that the new created user is an Administrator and doesn't receive no Prompt's when running in High Privileges.

Last updated