T1136 Create Account Mappings

Intel Threat Detection Technology (TDT), in conjunction with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling the detection of Local Account Creation techniques (T1136.001) in real time. This integrated solution strengthens CrowdStrike Falcon, allowing for faster detection and mitigation of threats earlier in the kill chain while minimizing system performance impact. Local Account Creation involves adversaries creating new local accounts on compromised systems to maintain persistence or elevate privileges. These accounts are often used to bypass authentication mechanisms or provide unauthorized access to a system. Intel TDT plays a key role by providing granular visibility into program execution, memory access, and control flow, enabling the detection of suspicious account creation or modifications. This real-time telemetry helps identify unusual behaviors, such as unauthorized attempts to create or modify local accounts. AMS offloads memory scanning from the CPU to the Intel Integrated GPU, ensuring that detection remains fast and efficient, without compromising system performance. This combined solution provides a powerful defense against Local Account Creation techniques, helping organizations quickly identify and neutralize threats aimed at gaining unauthorized access through local accounts.

Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using either a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios. Windows Hello utilizes passkeys which helps protect against the risk of credentials being stored in files by eliminating the need for passwords.