Show in Graph
Common Information
Type Value
Value 
Create Account - T1136
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The <code>net user</code> commands can be used to create a local or domain account. Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. Platforms: Linux, macOS, Windows Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs Permissions Required: Administrator
Details Published Attributes CTI Title
Details Website 2022-11-18 19 U.S. Federal Network Hacked – APT Hackers Compromised Domain Controller
Details Website 2022-11-17 4 SafeBreach Coverage for US-CERT Alert (AA22-320A) – Iranian State-Sponsored APT Actors
Details Website 2022-11-16 32 Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA
Details Website 2022-10-18 45 Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More
Details Website 2022-10-14 52 Ransom Cartel Ransomware: A Possible Connection With REvil
Details Website 2022-10-14 55 Ransom Cartel Ransomware: A Possible Connection With REvil
Details Website 2022-09-28 1 Exploits Explained: 5 Unusual Authentication Bypass Techniques
Details Website 2022-09-14 96 Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations | CISA
Details Website 2022-09-08 85 CUBA Ransomware Campaign Analysis — Elastic Security Labs
Details Website 2022-09-07 28 Profiling DEV-0270: PHOSPHORUS’ ransomware operations - Microsoft Security Blog
Details Website 2022-09-07 23 Profiling DEV-0270: PHOSPHORUS’ ransomware operations | Microsoft Security Blog
Details Website 2022-08-30 34 Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More
Details Website 2022-08-25 40 Threat Assessment: Black Basta Ransomware
Details Website 2022-08-10 138 Cisco Talos shares insights related to recent cyber attack on Cisco
Details Website 2022-07-19 33 Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More
Details Website 2022-06-09 31 LockBit 2.0: How This RaaS Operates and How to Protect Against It
Details Website 2022-06-02 99 To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant
Details Website 2022-04-04 34 Ransomware Spotlight: AvosLocker - Security News
Details Website 2022-02-23 314 (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant
Details Website 2022-01-25 95 Prime Minister’s Office Compromised: Details of Recent Espionage Campaign
Details Website 2022-01-25 95 Prime Minister’s Office Compromised: Details of Recent Espionage Campaign
Details Website 2021-11-29 108 Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant
Details Website 2021-11-19 43 Corporate Loader "Emotet": History of "X" Project Return for Ransomware
Details Website 2021-10-04 173 BazarLoader and the Conti Leaks
Details Website 2021-09-16 39 APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus | CISA