Common Information
| Type | Value |
|---|---|
| Value |
Create Account - T1136 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The <code>net user</code> commands can be used to create a local or domain account. Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. Platforms: Linux, macOS, Windows Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs Permissions Required: Administrator |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-14 | 24 | Major cyber attacks and data breaches of 2024 | ||
| Details | Website | 2024-11-13 | 23 | T.A. — RansomHub | ||
| Details | Website | 2024-11-10 | 0 | Some free cybersecurity courses certificates. | ||
| Details | Website | 2024-11-08 | 8 | Hack The Box | Sherlock | Brutus | ||
| Details | Website | 2024-11-08 | 25 | Dark Web Profile: CosmicBeetle (NoName) Ransomware - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2024-11-06 | 0 | Google Cloud: MFA Will Be Mandatory for All Users in 2025 | ||
| Details | Website | 2024-11-04 | 57 | Threat Intelligence Report October 29 - November 4 2024 | Red Piranha | ||
| Details | Website | 2024-10-29 | 2 | Fundamental Cross-Site Scripting (XSS) | ||
| Details | Website | 2024-10-29 | 14 | Brutus: Sherlock Hack The Box Challenge : Writeup— Understanding auth.log and wtmp | ||
| Details | Website | 2024-10-28 | 4 | Easy 400$ Bounty on Hackerone Public BBP | ||
| Details | Website | 2024-10-24 | 16 | Talos IR trends Q3 2024: Identity-based operations loom large | ||
| Details | Website | 2024-10-23 | 76 | Embargo ransomware: Rock’n’Rust | ||
| Details | Website | 2024-09-26 | 5 | Finding subdomains using security trails api key | ||
| Details | Website | 2024-09-25 | 24 | Zero Trust Protections - Illustrated | ||
| Details | Website | 2024-09-23 | 17 | Mastering Cloud-Specific IOCs for Enhanced Threat Detection | Wiz Blog | ||
| Details | Website | 2024-09-23 | 45 | Threat Intelligence Report 17th September – 23rd September 2024 | ||
| Details | Website | 2024-09-21 | 0 | Phish like a Phisher, Defend like a Guardian, Part 2. | ||
| Details | Website | 2024-09-21 | 39 | Unmasking Advanced Threat Actors: How Cloud Identity and Access Management is Under Attack | ||
| Details | Website | 2024-09-10 | 129 | CosmicBeetle steps up: Probation period at RansomHub | ||
| Details | Website | 2024-09-05 | 5 | Blocking Users from Registration | ||
| Details | Website | 2024-09-02 | 43 | Iranian State-Sponsored Hackers Have Become Access Brokers For Ransomware Gangsca - Cyble | ||
| Details | Website | 2024-08-30 | 24 | Emulating the Extortionist Mallox Ransomware | ||
| Details | Website | 2024-08-29 | 269 | #StopRansomware: RansomHub Ransomware | CISA | ||
| Details | Website | 2024-08-28 | 62 | Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA | ||
| Details | Website | 2024-08-28 | 44 | BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks |