Description
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Platforms
Mitigations (4)
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts.
Operating System ConfigurationM1028
Protect domain controllers by ensuring proper security configuration for critical servers.
Network SegmentationM1030
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
Privileged Account ManagementM1026
Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cyberea... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) created privileged domain accounts during intrusions.(Citation: Cisco BlackByte 2024) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has created and used new accounts within a victim's Active Directory environment to maintain pe... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has created a domain account within the victim environment.(Citation: CISA Medusa Group Medusa R... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has created domain accounts.(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Sil... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy) |
| S0029 | PsExec | Tool | [PsExec](https://attack.mitre.org/software/S0029) has the ability to remotely create accounts on target systems.(Citation: NCC Group Fivehands June 20... |
| S0039 | Net | Tool | The <code>net user username \password \domain</code> commands in [Net](https://attack.mitre.org/software/S0039) can be used to create a domain account... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire... |
References
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
Frequently Asked Questions
What is T1136.002 (Domain Account)?
T1136.002 is a MITRE ATT&CK technique named 'Domain Account'. It belongs to the Persistence tactic(s). Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across s...
How can T1136.002 be detected?
Detection of T1136.002 (Domain Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1136.002?
There are 4 documented mitigations for T1136.002. Key mitigations include: Multi-factor Authentication, Operating System Configuration, Network Segmentation, Privileged Account Management.
Which threat groups use T1136.002?
Known threat groups using T1136.002 include: GALLIUM, BlackByte, Wizard Spider, Medusa Group, HAFNIUM.