T1136.001 Local Account Mappings

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1136.001 Local Account
AC-20 Use of External Systems Protects T1136.001 Local Account
AC-03 Access Enforcement Protects T1136.001 Local Account
AC-05 Separation of Duties Protects T1136.001 Local Account
AC-06 Least Privilege Protects T1136.001 Local Account
CM-05 Access Restrictions for Change Protects T1136.001 Local Account
CM-06 Configuration Settings Protects T1136.001 Local Account
IA-02 Identification and Authentication (organizational Users) Protects T1136.001 Local Account
IA-05 Authenticator Management Protects T1136.001 Local Account
SI-04 System Monitoring Protects T1136.001 Local Account
SI-07 Software, Firmware, and Information Integrity Protects T1136.001 Local Account