# T1136 Create Account

-----------------------------------------------------------------------

## Technique Description

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

## Technique Detection

Monitor for processes and command-line parameters associated with account creation, such as <code>net user</code> or <code>useradd</code>. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.

Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

-----------------------------------------------------------------------

### Tactics:

  *   Persistence

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * IaaS

  * Linux

  * macOS

  * Google Workspace

### Adversary Required Permissions:

  * Administrator

### Data Sources:

  * **User Account:** User Account Creation

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used <code>wmic.exe</code> to add a new user to the system.(Citation: Symantec WastedLocker June 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) added a login to a SQL Server with <code>sp_addlinkedsrvlogin</code>.(Citation: Dragos Crashoverride 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1136)

  * [Microsoft User Creation Event](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720), Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will create accounts to establish persistence.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla
 - Empire has a module for creating a local or new domain user if permissions allow.

## Detection Blindspots

- Information Here

## Analytical References

  * [Empire Project (github)](https://github.com/EmpireProject/Empire)
  * [Windows Auditing Event 4720 (microsoft)](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)
  * [Atomic Red Team T1136.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md)
  * [Atomic Red Team T1136.002 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
- Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.
- While Windows Event ID 4720 is a direct reference to a user account being created, operators should realize that many more EIDs are triggered as well: 
    - Win Vista+
        - 4720 - A user account was created
        - 4722 - A user account was enabled
        - 4724 - An attempt was made to reset an accounts password
        - 4728 - A member was added to a security-enabled global group
        - 4732 - A member was added to a security-enabled local group
        - 4738 - A user account was changed
    - Win XP
        - 624 - User Account Created
        - 626 - User Account Enabled
        - 628 - User Account password set
        - 636 - Security Enabled Local Group Member Added

#### Analytic 1

  * **Information:** Event ID 4720 is generated when a user account is created on a Windows system and domain controller.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 4720```

#### Analytic 2

  * **Information:** Monitor for processes and command-line parameters associated with account creation

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```process.name : net.exe or net1.exe AND process.command.line : *add*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

