T1136Persistence

Create Account

Create accounts on the system or domain.

§ Where this technique fits

T1136 is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2 on average.

Authoritative reference: attack.mitre.org/techniques/T1136/.

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
step 2 / 7
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
step 2 / 5

§ What commonly comes next

01
Resource-Based Constrained Delegation (RBCD) Abuse
AD-RBCD · Lateral Movement
seen 1×
02
sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)
AD-NOPAC · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin

RBCD abuse → SYSTEM on a domain host

§ What commonly comes next