创建账户是攻击者为维持持久化访问而在目标系统创建恶意账户的技术,涉及本地系统、域环境或云平台的账户生成。传统检测手段依赖监控账户创建命令(如net user)、审计事件日志(如Windows事件ID 4720)以及定期审查账户列表,云环境则通过CSPM监控异常权限分配。防御措施包括启用用户账户控制(UAC)、配置最小权限策略和实施多因素认证。
为规避账户创建行为的可检测性,攻击者发展出多维度的隐蔽账户创建技术,通过属性克隆、权限伪装、信任滥用等手法,将恶意账户深度嵌入目标身份管理体系,实现"合法化"身份构建与持久化控制。
现有匿迹技术的共性在于突破传统账户属性检测维度,构建多层次的合法性证明体系:影子账户克隆通过元数据镜像实现属性层隐匿,使恶意账户在审计界面与合法实体无异;云服务最小权限账户利用云平台权限模型的复杂性,在策略层伪装成合规服务主体;域信任滥用账户通过跨域信任链在空间维度转移账户创建位置;服务账户伪装则在行为层模仿系统服务的交互模式。四类技术均采用"表面合规+深层恶意"的双重结构,在账户创建阶段注入合法属性,在使用阶段控制行为特征强度,使得传统基于单维度规则(如异常权限检测)或静态特征库的防御机制难以有效识别。
匿迹技术的演进导致传统账户生命周期管理机制面临严峻挑战,防御方需构建跨域信任监控、云服务策略图谱分析、服务账户行为建模等新型检测能力,并引入基于属性变更关联分析的多维威胁狩猎体系,实现对隐蔽账户创建行为的精准识别。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过复制合法账户的元数据特征(如SID历史、SPN配置)和服务账户命名规范,使恶意账户在属性层面与正常实体无法区分。云环境中的最小权限账户则通过严格遵循IAM策略模板,伪装成合规服务主体。
在云账户创建过程中,攻击者利用平台加密API和角色会话令牌临时性特征,使得账户操作日志中的关键参数被加密或自动清除。域信任滥用账户的活动记录分散在多个域控制器日志中,需跨域关联分析才能识别完整攻击链。
采用分阶段账户激活策略,将账户创建与使用行为在时间维度解耦。例如先创建休眠账户,数月后再通过合法凭证激活。云环境中利用自动伸缩组动态创建临时实例关联账户,使恶意账户生命周期与云资源生命周期同步更替。
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with |
| G0119 | Indrik Spider |
Indrik Spider used |
| G1015 | Scattered Spider |
Scattered Spider creates new user identities within the compromised organization.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
| M1030 | Network Segmentation |
Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. |
| M1028 | Operating System Configuration |
Protect domain controllers by ensuring proper security configuration for critical servers. |
| M1026 | Privileged Account Management |
Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd |
| DS0009 | Process | Process Creation |
Monitor newly executed processes associated with account creation, such as net.exe |
| DS0002 | User Account | User Account Creation |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |