Common Information
| Type | Value |
|---|---|
| Value |
Create Account - T1136 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. The <code>net user</code> commands can be used to create a local or domain account. Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary. Platforms: Linux, macOS, Windows Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs Permissions Required: Administrator |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2021-08-19 | 8 | Here's another free CA as an alternative to Let's Encrypt! | ||
| Details | Website | 2021-07-28 | 10 | Phases of a Post-Intrusion Ransomware Attack | ||
| Details | Website | 2021-07-10 | 106 | Common Tools & Techniques Used By Threat Actors and Malware — Part I | ||
| Details | Website | 2021-06-15 | 53 | Handy guide to a new Fivehands ransomware variant | ||
| Details | Website | 2021-04-27 | 236 | Lazarus Group Recruitment: Threat Hunters vs Head Hunters | ||
| Details | Website | 2021-04-21 | 36 | Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03) | ||
| Details | Website | 2021-04-20 | 102 | Authentication Bypass Techniques and Pulse Secure Zero-Day | ||
| Details | Website | 2021-03-11 | 27 | You Don't Know the HAFNIUM of it... | ||
| Details | Website | 2021-03-09 | 8 | Hafnium Microsoft Hack– Active Exploitation of Microsoft Exchange and Lateral Movement | ||
| Details | Website | 2021-03-03 | 28 | Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk | ||
| Details | Website | 2018-09-27 | 6 | Application Licensing with Blockchain: EOS Network | Apriorit | ||
| Details | Website | 2018-07-06 | 5 | Categorizing and Enriching Security Events in an ELK with the Help of Sysmon and ATT&CK | ||
| Details | Website | 2017-10-21 | 605 | Phobos | ||
| Details | Website | 2017-02-07 | 3 | Tax Refund Scams: Benefits to filing early and often | ||
| Details | Website | 2017-01-01 | 1 | SWIFT login | ||
| Details | Website | 2012-05-30 | 1 | Using BackTrack 5 R2 with Metasploit Community or Metasploit Pro | Rapid7 Blog |