- Tactics
- Persistence
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1136.002
Description
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions
- T1197 — BITS Jobs
- T1205 — Traffic Signaling
- T1505 — Server Software Component