|
Create Account
Sub-techniques (1)
| ID | Name |
|---|---|
| T1136.003 | Create Cloud Account |
A threat actor using credentials with appropriate permissions is able to create an account within an AWS organization that will use the payment method registered to the management or payer account. The theat actor will then be able to create resources and workloads within the newly created account that may not be subject to existing detections. By default, Service Control Policies are not assigned to new accounts during the creation of the account within an organization.
Detection
Monitor for processes and command-line parameters associated with account creation, such asnet user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
Collect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.