Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl
utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1136.001 | Local Account |
AC-20 | Use of External Systems | Protects | T1136.001 | Local Account |
AC-03 | Access Enforcement | Protects | T1136.001 | Local Account |
AC-05 | Separation of Duties | Protects | T1136.001 | Local Account |
AC-06 | Least Privilege | Protects | T1136.001 | Local Account |
CM-05 | Access Restrictions for Change | Protects | T1136.001 | Local Account |
CM-06 | Configuration Settings | Protects | T1136.001 | Local Account |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1136.001 | Local Account |
IA-05 | Authenticator Management | Protects | T1136.001 | Local Account |
SI-04 | System Monitoring | Protects | T1136.001 | Local Account |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1136.001 | Local Account |