Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protection from Create Account: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Created account | Created new user account | related-to | T1136.002 | Domain Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1136.002 | Domain Account |
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.
References
|