T1136.002SubTechniquepersistenceagent-callable

T1136.002Domain Account

Sub-technique of T1136

Platforms: Windows · macOS · Linux

ATT&CK version: 14.1

What it is

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1136/002
  2. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.