Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1136.001 | Local Account |
Comments
Intel Threat Detection Technology (TDT), in conjunction with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling the detection of Local Account Creation techniques (T1136.001) in real time. This integrated solution strengthens CrowdStrike Falcon, allowing for faster detection and mitigation of threats earlier in the kill chain while minimizing system performance impact.
Local Account Creation involves adversaries creating new local accounts on compromised systems to maintain persistence or elevate privileges. These accounts are often used to bypass authentication mechanisms or provide unauthorized access to a system. Intel TDT plays a key role by providing granular visibility into program execution, memory access, and control flow, enabling the detection of suspicious account creation or modifications. This real-time telemetry helps identify unusual behaviors, such as unauthorized attempts to create or modify local accounts.
AMS offloads memory scanning from the CPU to the Intel Integrated GPU, ensuring that detection remains fast and efficient, without compromising system performance. This combined solution provides a powerful defense against Local Account Creation techniques, helping organizations quickly identify and neutralize threats aimed at gaining unauthorized access through local accounts.
References
|