1. Home
  2. ATT&CK Techniques
  3. T1136 Create Account

T1136 Create Account Mappings

Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1136 Create Accounts
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1136 Create Accounts
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1136 Create Accounts
attribute.integrity.variety.Created account Created new user account related-to T1136 Create Accounts

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
advanced_protection_program Advanced Protection Program technique_scores T1136 Create Account
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling Advanced Protection Program for all users at an organization can prevent adversaries from maintaining access via created accounts because any accounts they create won't have the required security keys for MFA.
References
  1. ['https://landing.google.com/advancedprotection/']
google_secops Google Security Operations technique_scores T1136 Create Account
Comments
Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts on Windows machines. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
identity_platform Identity Platform technique_scores T1136 Create Account
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.
References
  1. ['https://cloud.google.com/identity-platform/docs/concepts']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1136 Create Account
Comments
This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1136.001 Local Account 3
T1136.002 Domain Account 2
T1136.003 Cloud Account 5