Skip to content

Establish Accounts

What: Establish Accounts

Establish Accounts is a sub-category within the MITRE ATT&CK framework, specifically under the Initial Access [TA0001] tactic. This sub-category involves techniques that adversaries use to create accounts in the environment of their target, which can facilitate sustained access and control over resources.

How: Techniques and Methods Used to Establish Accounts

  1. Creating Local System Accounts: Adversaries may create local accounts directly on a host. This could be achieved by exploiting system vulnerabilities or using stolen credentials to gain sufficient privileges. Tools like net user on Windows or useradd on Linux might be used.

  2. Creating Domain Accounts: If the adversary has gained sufficient privileges, they might create new accounts within a domain controller. This often involves interacting with Active Directory services using tools like PowerShell (New-ADUser) or directly manipulating LDAP entries.

  3. Using External Facing Services: Adversaries may create accounts through external services that integrate with internal systems (e.g., cloud services that sync with an internal user database).

  4. Exploiting Public-Facing Applications: By exploiting weaknesses in public-facing applications (e.g., SQL injection in a web application), an adversary might create an account within an application’s database that also grants access to the underlying system.

Where: Environments and Systems Targeted

  • Local Systems: Desktops, servers, and other individual devices where local accounts provide direct access.
  • Domain Controllers: Centralized systems managing user access in network environments.
  • Cloud-Based Infrastructure: Systems hosted on platforms like AWS, Azure, or Google Cloud where adversaries can exploit poorly secured configuration settings.
  • External Services: Public-facing applications such as web portals, forums, or management interfaces that may have direct integration with internal systems.

Why: Objectives Behind Establishing Accounts

  1. Persistence: Creating accounts provides adversaries with reliable means to maintain access within an environment even through disruptions like system restarts and changes in network infrastructure.

  2. Elevation of Privilege: By creating new accounts or taking over existing ones, adversaries can escalate their privileges within a system or network which is crucial for deeper exploitation.

  3. Lateral Movement: With legitimate credentials at their disposal, adversaries can move across the network more freely and with less likelihood of detection, accessing sensitive information and further compromising security.

  4. Avoiding Detection: Using seemingly legitimate user accounts can help adversaries blend in with normal traffic in an organization’s network, making it harder for security measures to detect malicious activity.

This detailed approach underlines how critical it is for organizations to monitor account creation and management activities closely and implement strict controls over these processes to mitigate such threats effectively.