Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1136.001 | Local Account |
| AC-20 | Use of External Systems | Protects | T1136.001 | Local Account |
| AC-3 | Access Enforcement | Protects | T1136.001 | Local Account |
| AC-5 | Separation of Duties | Protects | T1136.001 | Local Account |
| AC-6 | Least Privilege | Protects | T1136.001 | Local Account |
| CM-5 | Access Restrictions for Change | Protects | T1136.001 | Local Account |
| CM-6 | Configuration Settings | Protects | T1136.001 | Local Account |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1136.001 | Local Account |
| IA-5 | Authenticator Management | Protects | T1136.001 | Local Account |
| SI-4 | System Monitoring | Protects | T1136.001 | Local Account |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1136.001 | Local Account |
| attribute.integrity.variety.Created account | Created new user account | related-to | T1136.001 | Create Account: Local Account |