Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
A request to create a new domain user is associated with a persistent, planned attack rather than a random, opportunistic attack. An attacker must already have obtained valid administrator credentials to send this request. The ultimate objective of a persistent attack, such as data exfiltration, could have a significant impact on a business or organization.
The system might change the risk score for this detection.
Kill Chain
Risk Score
38
After infiltrating a network and obtaining administrator privileges, an attacker might attempt to establish a persistent presence by adding a new user to an Active Directory (AD) domain. The attacker remotely creates the user on the domain controller (DC) with the Microsoft Remote Procedure Call (MSRPC) protocol by calling the Security Account Manager Remote Protocol (SAMR) interface.
By creating a new user, the attacker establishes multiple ways to access the network and can retain a presence on the network even after one compromised account is detected and shut down.
Implement network segmentation, security zones, and firewall policies that limit access to systems that can create accounts
Enforce multi-factor authentication for remote users
Collect information about domain controller changes with Windows event forwarding and remote aggregation of host-based logs
Limit membership to the Administrators, Domain Admins, and Enterprise Admins groups
