Common Information
| Type | Value |
|---|---|
| Value |
Create Account - T1136 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The <code>net user</code> commands can be used to create a local or domain account. Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. Platforms: Linux, macOS, Windows Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs Permissions Required: Administrator |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-21 | 30 | Linux Detection Engineering - A primer on persistence mechanisms — Elastic Security Labs | ||
| Details | Website | 2024-08-19 | 20 | PG_MEM: A Malware Hidden in the Postgres Processes | ||
| Details | Website | 2024-08-12 | 27 | You Don't Know the HAFNIUM of it... | ||
| Details | Website | 2024-07-02 | 5 | Pentesting results for 2023 | ||
| Details | Website | 2024-06-19 | 115 | Akira - The old-new style crime | ||
| Details | Website | 2024-06-13 | 9 | Introducing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake | ||
| Details | Website | 2024-06-04 | 56 | Lost in the Fog: A New Ransomware Threat - Arctic Wolf | ||
| Details | Website | 2024-02-23 | 85 | SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress | ||
| Details | Website | 2024-01-19 | 17 | Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining | Datadog Security Labs | ||
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-11-28 | 81 | Aki-RATs - Command and Control Party | ||
| Details | Website | 2023-11-20 | 4 | How to use multiple instances of AWS IAM Identity Center | Amazon Web Services | ||
| Details | Website | 2023-11-13 | 78 | Don’t throw a hissy fit; defend against Medusa | ||
| Details | Website | 2023-10-31 | 72 | Unveiling the Dark Side: A Deep Dive into Active Ransomware Families | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-09-15 | 110 | Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware | ||
| Details | Website | 2023-09-15 | 816 | UNC3944: SMS Phishing, SIM Swapping, and Ransomware Attacks | ||
| Details | Website | 2023-09-04 | 41 | New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services | ||
| Details | Website | 2023-08-25 | 195 | Russia/Ukraine Update - August 2023 | ||
| Details | Website | 2023-08-10 | 0 | ASCWG 2023 Quals Reverse Engineering Challenges | ||
| Details | Website | 2023-07-28 | 10 | Geographic Restrictions via Nginx & MaxmindDB — July 2023 | ||
| Details | Website | 2023-07-27 | 117 | Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector | ||
| Details | Website | 2023-07-25 | 6 | APT Profile: Kimsuky - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2023-07-25 | 7 | UNKNOWN | ||
| Details | Website | 2023-07-21 | 4 | This Week in Cybersecurity: July 17th-21st |