Esc
Create Account - T1136
(ATT&CK® Technique)
Definition
Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1136["Create Account"] --> |creates| UserAccount["User Account"]; class T1136 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1136 href "/offensive-technique/attack/T1136/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1136["Create Account"] --> |creates| CloudUserAccount["Cloud User Account"]; class T1136 OffensiveTechniqueNode;
class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
click T1136 href "/offensive-technique/attack/T1136/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; T1136["Create Account"] --> |creates| DomainUserAccount["Domain User Account"]; class T1136 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1136 href "/offensive-technique/attack/T1136/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1136["Create Account"] --> |creates| LocalUserAccount["Local User Account"]; class T1136 OffensiveTechniqueNode;
class LocalUserAccount ArtifactNode; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount";
click T1136 href "/offensive-technique/attack/T1136/"; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | CloudUserAccount["Cloud User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| may-restore | T1136["Create Account"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UserAccountPermissions["User Account Permissions"] -->
| restricts | LocalUserAccount["Local User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| may-isolate | T1136["Create Account"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | CloudUserAccount["Cloud User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| may-evict | T1136["Create Account"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | CloudUserAccount["Cloud User Account"];
class AccountLocking DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | LocalUserAccount["Local User Account"];
class AccountLocking DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AgentAuthentication["Agent Authentication"] -->
| strengthens | LocalUserAccount["Local User Account"];
AgentAuthentication["Agent Authentication"] -.->
| may-harden | T1136["Create Account"] ;
class AgentAuthentication DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
UnlockAccount["Unlock Account"] -.->
| may-restore | T1136["Create Account"] ;
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | CloudUserAccount["Cloud User Account"];
class UnlockAccount DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | LocalUserAccount["Local User Account"];
class UnlockAccount DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; AgentAuthentication["Agent Authentication"] -->
| strengthens | DomainUserAccount["Domain User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | LocalUserAccount["Local User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; LocalAccountMonitoring["Local Account Monitoring"] -->
| analyzes | LocalUserAccount["Local User Account"];
LocalAccountMonitoring["Local Account Monitoring"] -.->
| may-detect | T1136["Create Account"] ;
class LocalAccountMonitoring DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click LocalAccountMonitoring href "/technique/d3f:LocalAccountMonitoring"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| may-detect | T1136["Create Account"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; AgentAuthentication["Agent Authentication"] -->
| strengthens | UserAccount["User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | CloudUserAccount["Cloud User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication";