Esc

Domain Account - T1136.002

(ATT&CK® Technique)

Definition

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1136002["Domain Account"] --> |creates| DomainUserAccount["Domain User Account"]; class T1136002 OffensiveTechniqueNode;
        class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
        click T1136002 href "/offensive-technique/attack/T1136.002/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";    T1136002["Domain Account"] --> |creates| UserAccount["User Account"]; class T1136002 OffensiveTechniqueNode;
        class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
        click T1136002 href "/offensive-technique/attack/T1136.002/"; click UserAccount href "/dao/artifact/d3f:UserAccount";          UnlockAccount["Unlock Account"] -->
          | restores | DomainUserAccount["Domain User Account"];

          UnlockAccount["Unlock Account"] -.->
            | may-restore | T1136002["Domain Account"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";        DomainAccountMonitoring["Domain Account Monitoring"] -->
          | monitors | DomainUserAccount["Domain User Account"];

          DomainAccountMonitoring["Domain Account Monitoring"] -.->
            | may-detect | T1136002["Domain Account"] ;
          class DomainAccountMonitoring DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; AccountLocking["Account Locking"] -->
          | disables | DomainUserAccount["Domain User Account"];

          AccountLocking["Account Locking"] -.->
            | may-evict | T1136002["Domain Account"] ;
          class AccountLocking DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | DomainUserAccount["Domain User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | may-isolate | T1136002["Domain Account"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";               AccountLocking["Account Locking"] -->
          | disables | UserAccount["User Account"];

          
          class AccountLocking DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking";  UserAccountPermissions["User Account Permissions"] -->
          | restricts | UserAccount["User Account"];

          
          class UserAccountPermissions DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";                                     RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | DomainUserAccount["Domain User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | may-restore | T1136002["Domain Account"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | DomainUserAccount["Domain User Account"];

          AgentAuthentication["Agent Authentication"] -.->
            | may-harden | T1136002["Domain Account"] ;
          class AgentAuthentication DefensiveTechniqueNode;
          class DomainUserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication";           RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | UserAccount["User Account"];

          
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess";  AgentAuthentication["Agent Authentication"] -->
          | strengthens | UserAccount["User Account"];

          
          class AgentAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AgentAuthentication href "/technique/d3f:AgentAuthentication";  UnlockAccount["Unlock Account"] -->
          | restores | UserAccount["User Account"];

          
          class UnlockAccount DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";

json