T1136.002: T1136.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 28/01/2020 15:05 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1136.002
Confidence: 100/100
Revoked: No
Published: 28/01/2020 15:05
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Domain Account

Platforms

windows macos linux

Description

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the `net user /add /domain` command can be used to create a domain account.(Citation: Savill 1999) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Kill chain phases

Kill chain	Phase
mitre-attack	persistence

Marking (TLP)

External references

Microsoft User Creation Event
Savill 1999
mitre-attack (T1136.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
embargo uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Medusa Group uses

The MITRE Corporation Confidence 100

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0494 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM uses Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (32)

ScreenConnect uses

Family
LockBit uses

Family
BlackCat uses
Rhysida uses

Family
Medusa uses

Family
Quantum Locker uses

Family
ExByte uses

Family
Babyk uses

Family
BlackCat - S1068 uses

Family
Cobalt Strike Beacon uses

Family
Trojan.Karagany uses
Fscan uses

Family

← Previous

Page / 3

13–24 of 32

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Uptick in Bomgar RMM Exploitation related

1 CVE 18 MITREs 6 Malwares 5 Observables
An Overview of The Gentlemen's TTPs related

AlienVault Confidence 100 4 CVEs 11 MITREs 7 Malwares 4 IOCs 4 Observables 1 APT
Stolen Service Accounts Lead to Rogue Workstations and … related

3 CVEs 12 MITREs 2 Observables
Sneeit WordPress RCE Exploited in the Wild While … related

4 CVEs 9 MITREs 2 Malwares 6 Observables
Cat's Got Your Files: Lynx Ransomware related

17 MITREs 7 Observables
Embargo ransomware: Rock'n'Rust related

14 MITREs 3 Malwares 1 APT
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities … related

21 MITREs 2 Malwares 4 Observables 1 APT
Akira Ransomware Targets the LATAM Airline Industry related

3 CVEs 32 MITREs 1 Malware 2 Observables 1 APT
Warning Against Phishing Emails Prompting Execution of Commands … related

13 MITREs 1 Malware 15 Observables

Vulnerabilities (CVE) (15)

CVE-2025-32463 KEV targets

9.3 Critical

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) …

Attack vector: Local
Published: 29/09/2025
Modified: 27/05/2026

Received

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

CVE-2025-6389 targets

9.8 Critical

The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the …

Attack vector: NETWORK
Published: 25/11/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-59719 targets

9.8 Critical

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an …

Published: 09/12/2025
Modified: 09/12/2025

Analyzed

CVE-2024-37085 KEV targets

6.8 Medium

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an …

Attack vector: Network
Published: 30/07/2024
Modified: 27/05/2026

Awaiting Analysis

CVE-2025-59718 targets

9.8 Critical

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS …

Published: 09/12/2025
Modified: 17/12/2025

Analyzed

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2025-5394 targets

9.8 Critical

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability …

Published: 15/07/2025
Modified: 15/07/2025

Awaiting Analysis

CVE-2025-66516 targets

10.0 Critical

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out …

Attack vector: Local
Published: 20/12/2025
Modified: 30/12/2025

Analyzed

CVE-2025-2611 targets

9.3 Critical

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

← Previous

Page / 2

1–12 of 15

T1136 subtechnique-of

Create Account MITRE

Course Of Action (4)

Multi-factor Authentication mitigates
Network Segmentation mitigates
Operating System Configuration mitigates
Privileged Account Management mitigates

Campaign (2)

2015 Ukraine Electric Power Attack uses
2016 Ukraine Electric Power Attack uses

Tool (4)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…

Contact About Legal notice Privacy policy Terms of use