EXPLORE
Sign In
← Back to Explore
T1136

Create Account

Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can r...

WindowsIaaSLinuxmacOSNetwork DevicesContainersSaaSOffice SuiteIdentity ProviderESXi
32
Detections
3
Sources
3
Threat Actors

BY SOURCE

26elastic3sigma3splunk_escu

PROCEDURES (21)

Persist4 detections

Auto-extracted: 4 detections for persist

Persist3 detections

Auto-extracted: 3 detections for persist

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Service2 detections

Auto-extracted: 2 detections for service

Bypass2 detections

Auto-extracted: 2 detections for bypass

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Token1 detections

Auto-extracted: 1 detections for token

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Aws1 detections

Auto-extracted: 1 detections for aws

Token1 detections

Auto-extracted: 1 detections for token

Unusual1 detections

Auto-extracted: 1 detections for unusual

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (3)

Indrik SpiderSalt TyphoonScattered Spider

DETECTIONS (32)

Attempt to Create Okta API Token
elasticmedium
AWS ElastiCache Security Group Created
sigmalow
AWS IAM Create User via Assumed Role on EC2 Instance
elasticmedium
AWS IAM Group Creation
elasticlow
AWS Sensitive IAM Operations Performed via CloudShell
elasticmedium
Cisco IOS Suspicious Privileged Account Creation
splunk_escu
Cisco Privileged Account Creation with HTTP Command Execution
splunk_escu
Cisco Privileged Account Creation with Suspicious SSH Activity
splunk_escu
Creation of a Hidden Local User Account
elastichigh
dMSA Account Creation by an Unusual User
elastichigh
Entra ID External Guest User Invited
elasticlow
Entra ID Service Principal Created
elasticlow
ESXi Account Creation Via ESXCLI
sigmamedium
FortiGate Administrator Account Creation from Unusual Source
elasticmedium
FortiGate SSO Login Followed by Administrator Account Creation
elastichigh
FortiGate Super Admin Account Creation
elasticmedium
GCP Service Account Creation
elasticlow
Linux Group Creation
elasticlow
Linux User Account Creation
elasticlow
Linux User Added to Privileged Group
elasticlow
New GitHub Owner Added
elasticmedium
New GitHub Personal Access Token (PAT) Added
elasticlow
New Kubernetes Service Account Created
sigmalow
OpenSSL Password Hash Generation
elasticmedium
Potential Hidden Local User Account Creation
elasticmedium
Potential Linux Backdoor User Account Creation
elastichigh
Potential Persistence via File Modification
elasticlow
Shadow File Modification by Unusual Process
elasticlow
Spike in User Account Management Events
elasticlow
Suspicious Passwd File Event Action
elasticmedium
User Account Creation
elasticlow
User or Group Creation/Modification
elasticlow