Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1136.001 | Local Account | |
| CM-05 | Access Restrictions for Change | mitigates | T1136.001 | Local Account | |
| IA-05 | Authenticator Management | mitigates | T1136.001 | Local Account | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1136.001 | Local Account | |
| AC-20 | Use of External Systems | mitigates | T1136.001 | Local Account | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1136.001 | Local Account | |
| SI-04 | System Monitoring | mitigates | T1136.001 | Local Account | |
| AC-02 | Account Management | mitigates | T1136.001 | Local Account | |
| AC-03 | Access Enforcement | mitigates | T1136.001 | Local Account | |
| AC-05 | Separation of Duties | mitigates | T1136.001 | Local Account | |
| AC-06 | Least Privilege | mitigates | T1136.001 | Local Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Created account | Created new user account | related-to | T1136.001 | Local Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1136.001 | Local Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1136.001 | Local Account |
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1136.001 | Local Account |
Comments
Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts in Windows AD environments (e.g., event 4720).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral
References
|
| identity_platform | Identity Platform | technique_scores | T1136.001 | Local Account |
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems and accounts.
References
|