Description
Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
Platforms
Sub-Techniques (3)
Mitigations (4)
Network SegmentationM1030
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
Operating System ConfigurationM1028
Protect domain controllers by ensuring proper security configuration for critical servers.
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts.
Privileged Account ManagementM1026
Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used <code>wmic.exe</code> to add a new user to the system.(Citation: Symantec WastedLocker Jun... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) creates new user identities within the compromised organization.(Citation: CISA Scattered Sp... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has created Linux-level users on compromised network devices through modification of `/etc/shado... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) has been observed creating accounts for persistence using simple names like "a".(Citation: Palo... |
References
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
Frequently Asked Questions
What is T1136 (Create Account)?
T1136 is a MITRE ATT&CK technique named 'Create Account'. It belongs to the Persistence tactic(s). Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish se...
How can T1136 be detected?
Detection of T1136 (Create Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1136?
There are 4 documented mitigations for T1136. Key mitigations include: Network Segmentation, Operating System Configuration, Multi-factor Authentication, Privileged Account Management.
Which threat groups use T1136?
Known threat groups using T1136 include: Indrik Spider, Scattered Spider, Salt Typhoon.