T1136.001 Local Account Mappings

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

View in MITRE ATT&CK®

Intel vPro Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1136.001 Local Account
Comments
Intel Threat Detection Technology (TDT), in conjunction with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling the detection of Local Account Creation techniques (T1136.001) in real time. This integrated solution strengthens CrowdStrike Falcon, allowing for faster detection and mitigation of threats earlier in the kill chain while minimizing system performance impact. Local Account Creation involves adversaries creating new local accounts on compromised systems to maintain persistence or elevate privileges. These accounts are often used to bypass authentication mechanisms or provide unauthorized access to a system. Intel TDT plays a key role by providing granular visibility into program execution, memory access, and control flow, enabling the detection of suspicious account creation or modifications. This real-time telemetry helps identify unusual behaviors, such as unauthorized attempts to create or modify local accounts. AMS offloads memory scanning from the CPU to the Intel Integrated GPU, ensuring that detection remains fast and efficient, without compromising system performance. This combined solution provides a powerful defense against Local Account Creation techniques, helping organizations quickly identify and neutralize threats aimed at gaining unauthorized access through local accounts.
References

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-47966 Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability primary_impact T1136.001 Local Account
Comments
CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally. They've also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting**
References
CVE-2022-21999 Microsoft Windows Print Spooler Privilege Escalation Vulnerability secondary_impact T1136.001 Local Account
Comments
This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.
References