T1136.002 Create Account: Local Account
Author: Stefan Waldvogel
LimaCharlie vs. Create Account: Local Account
Overview:
Description from ATT&CK
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1136.001 -ShowDetailsBrief
Invoke-AtomicTest T1136.001 -CheckPrereqs
Invoke-AtomicTest T1136.001 -GetPrereqs
Invoke-AtomicTest T1136.001 -TestNumbers 1
Invoke-AtomicTest T1136.001 -Cleanup
Changes:
Picked a longer password, PS does not allow a short password.
Limitations:
Results:
This section has 6 subtests.
Invoke-AtomicTest T1136.001 -TestNumbers 1 -- Linux test--
Invoke-AtomicTest T1136.001 -TestNumbers 2 --Mac Test--
Invoke-AtomicTest T1136.001 -TestNumbers 3 detected
Invoke-AtomicTest T1136.001 -TestNumbers 4 detected, it is a powershell command
Invoke-AtomicTest T1136.001 -TestNumbers 5 --- linux test---
Invoke-AtomicTest T1136.001 -TestNumbers 6 multiple detections
Test 3
Description from ATT&CK
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1136.001 -ShowDetailsBrief
Invoke-AtomicTest T1136.001 -CheckPrereqs
Invoke-AtomicTest T1136.001 -GetPrereqs
Invoke-AtomicTest T1136.001 -TestNumbers 1
Invoke-AtomicTest T1136.001 -Cleanup
Changes:
Picked a longer password, PS does not allow a short password.
Limitations:
Results:
This section has 6 subtests.
Invoke-AtomicTest T1136.001 -TestNumbers 1 -- Linux test--
Invoke-AtomicTest T1136.001 -TestNumbers 2 --Mac Test--
Invoke-AtomicTest T1136.001 -TestNumbers 3 detected
Invoke-AtomicTest T1136.001 -TestNumbers 4 detected, it is a powershell command
Invoke-AtomicTest T1136.001 -TestNumbers 5 --- linux test---
Invoke-AtomicTest T1136.001 -TestNumbers 6 multiple detections
Test 3
Test 4
Test 6
© 2021. This work is licensed under a CC BY-SA 4.0 license