T1136 Create Account Mappings

Intel Threat Detection Technology (TDT), in conjunction with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling the detection of Local Account Creation techniques (T1136.001) in real time. This integrated solution strengthens CrowdStrike Falcon, allowing for faster detection and mitigation of threats earlier in the kill chain while minimizing system performance impact. Local Account Creation involves adversaries creating new local accounts on compromised systems to maintain persistence or elevate privileges. These accounts are often used to bypass authentication mechanisms or provide unauthorized access to a system. Intel TDT plays a key role by providing granular visibility into program execution, memory access, and control flow, enabling the detection of suspicious account creation or modifications. This real-time telemetry helps identify unusual behaviors, such as unauthorized attempts to create or modify local accounts. AMS offloads memory scanning from the CPU to the Intel Integrated GPU, ensuring that detection remains fast and efficient, without compromising system performance. This combined solution provides a powerful defense against Local Account Creation techniques, helping organizations quickly identify and neutralize threats aimed at gaining unauthorized access through local accounts.

Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using either a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios. Windows Hello utilizes passkeys which helps protect against the risk of credentials being stored in files by eliminating the need for passwords.

CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files

This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise.

This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.

This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE: