Applied Cybernetics Group
T1136.001 — Local Account
- Technique
T1136.001- Tactics
- Persistence
- MISP citations
- 0
- KEV CVEs mapped
- 2
- Community rules
- 16
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1136/001
MITRE description
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the <code>dscl -create</code> command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Serv-U Exploitation CVE-2021-35211 by DEV-0322 (emerging-threats)
- DarkGate - User Created Via Net.EXE (emerging-threats)
- Creation Of An User Account (core)
- Privileged User Has Been Created (core)
- Creation Of A Local User Account (core)
- Cisco Local Accounts (core)
- FortiGate - New Administrator Account Created (core)
- FortiGate - New Local User Created (core)
- Hidden Local User Creation (core)
- Suspicious Windows ANONYMOUS LOGON Local Account Created (core)
- Local User Creation (core)
- PowerShell Create Local User (core)
- New User Created Via Net.EXE With Never Expire Option (core)
- New User Created Via Net.EXE (core)
- User Added to Remote Desktop Users Group (core)
- Creation of a Local Hidden User Account by Registry (core)