Accounts

Local User Accounts

• Using the net user command:

  • This command adds a new user account to the local machine.

net user [username] [password] /add

• Using the New-LocalUser PowerShell cmdlet:

  • This PowerShell cmdlet creates a new local user account.

New-LocalUser -Name "username" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)

Domain User Accounts

• Using the dsadd command:

  • This command adds a new user to the Active Directory domain.

dsadd user "cn=John Doe,cn=Users,dc=example,dc=com" -pwd Password123

• Using Active Directory Administrative Center or Users and Computers: GUI tools provided by Windows for managing Active Directory, allowing for the creation of user accounts within a domain.

Built-in Accounts

• Enabling the Guest account or Administrator account:

  • These commands enable built-in accounts that are disabled by default on newer versions of Windows.

  Copy

  net user guest /active:yes

  Copy

  net user administrator /active:yes

Using Computer Management and Local Users and Groups

• Graphical Interface: Accessed by right-clicking "This PC" and selecting "Manage", then navigating to "Local Users and Groups". This interface allows for account creation without command-line tools.

Using Third-party Tools

• Various third-party tools and scripts can create user accounts, bypassing traditional Windows controls and logging mechanisms, often exploited by attackers to remain undetected.

• Examples of third-party tools are Secret Server (by Thycotic) and SailPoint. These applications offer advanced features for managing credentials, access, and identity across complex IT environments. While designed to enhance security and efficiency, these tools, like any powerful system, can be leveraged both legitimately and maliciously. Understanding their legitimate uses and potential for misuse is crucial for maintaining security.

  • Secret Server (Thycotic)

    • Privileged Account Management: Secret Server is widely used for managing privileged accounts, ensuring that sensitive credentials are stored securely and accessed according to strict policies.

      • Automated Password Rotation: The tool can automatically change passwords on various platforms, reducing the risk associated with static credentials.

      • Session Recording and Monitoring: Secret Server can record sessions initiated using privileged accounts, providing an audit trail for compliance and forensic analysis.

  • SailPoint

    • Identity Governance: SailPoint provides comprehensive tools for identity governance, including automated provisioning and de-provisioning of access, ensuring that users have appropriate access rights based on their roles.

      • Compliance Management: It helps organizations comply with regulations by enforcing access policies and conducting access reviews, ensuring that only authorized users have access to sensitive data.

      • Risk Management: SailPoint assesses access risks across the organization and implements controls to mitigate these risks, enhancing overall security posture.

  • Intune

    • Intune allows organizations to manage devices and applications, ensuring they are compliant with the organization's security policies. The deviceenroller.exe executable is used in the context of automating the enrollment process for Windows devices. This is often seen creating accounts both locally and within Azure.

    • DeviceEnroller.exe is the source process

      • Example Command Line: "C:\Windows\system32\deviceenroller.exe" /o "1221L81A-8821-I117-5Y138133912837167 /c /v

        • 1221L81A-8821-I117-5Y138133912837167

          • The /o flag specifies the enrollment token or object ID. This is a unique identifier associated with the enrollment profile in Intune. The value "221L81A-8821-I117-5Y138133912837167" would be specific to a particular enrollment policy or profile configured in Intune.

          • /c

            • This flag typically stands for "Corporate" enrollment. It indicates that the enrollment should be done in the context of a corporate (or work) account, as opposed to a personal account. This is important for devices that will be managed under an organization's policies.

          • /v

            • This flag enables verbose logging. Verbose logging ensures that detailed information about the enrollment process is captured. This can be invaluable for troubleshooting if the enrollment process encounters issues or errors.

Artifacts for Identifying Account Creations or Modifications

1. Security Event Logs

• Event ID 4720: This event indicates that a user account was created. It provides details such as the account name, the domain, the account's SID, and who created the account. This event doesn't specify the method used for creation (e.g., command line, PowerShell, or graphical interface), but it's a clear indicator of account creation.

• Event ID 4722: This event signifies that a user account was enabled. If a new account is created and immediately enabled (which is often the case), this event can be an additional indicator of account creation activity.

• Event ID 4738: An event for a user account being changed. This can include changes made to an account through the "Local Users and Groups" interface, such as modifying group memberships or updating account descriptions.

2. PowerShell Logs

• PowerShell History: If enabled, can show commands executed, including New-LocalUser or other account creation cmdlets.

• Windows PowerShell operational logs: May contain entries related to account creation or modification.

3. Command-Line Logging

• Windows Command Line Processor: Event ID 4688 includes command-line arguments, capturing the execution of commands like net user used to create accounts.

4. System Configuration Changes

• Group Policy Changes: Event IDs 4737 (a security-enabled global group was changed) and 4733 (a member was removed from a security-enabled local group) can indicate changes to group memberships related to new accounts.

5. Active Directory Logs (For Domain Accounts)

• Directory Service Changes: Event IDs related to creating or modifying user objects in Active Directory provide insights into account management activities.

6. Prefetch Files

• Prefetch files for tools like cmd.exe, PowerShell, or third-party utilities that can create users might indicate the execution of such tools.

7. Registry

• SAM (Security Account Manager): Changes to the SAM database in HKEY_LOCAL_MACHINE\SAM can indicate account creations, though direct access is restricted and monitored.

Best Practices for Monitoring

• Enable detailed auditing policies for account management events.

• Regularly review Security Event Logs for signs of unauthorized account creation.

• Implement centralized logging and monitoring to detect and alert on suspicious account activities.

• Use security information and event management (SIEM) solutions to correlate events and identify potential threats.