T1136.001: Local Account
| View on MITRE ATT&CK | T1136.001 |
|---|---|
| Tactic(s) | Persistence |
Data from MITRE ATT&CK®:
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
User Account Creation (User Account)
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Create a new Windows admin user via .NET
Create a user account on a Linux system
Create a new user in FreeBSD with `root` GID.
Create a new user in a command prompt
Create a user account on a MacOS system
Create a user account on a FreeBSD system
Create a new Windows admin user
Create a new user in PowerShell
Create a new user in Linux with `root` UID and GID.
Sigma Detections for this Technique
New User Created Via Net.EXE With Never Expire Option
New User Created Via Net.EXE
Local User Creation
Suspicious Windows ANONYMOUS LOGON Local Account Created
Creation of a Local Hidden User Account by Registry
Privileged User Has Been Created
Cisco Local Accounts
Creation Of A Local User Account
Creation Of An User Account
User Added to Remote Desktop Users Group
PowerShell Create Local User
Hidden Local User Creation
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.