1. Home
  2. ATT&CK Techniques
  3. T1136.001 Local Account

T1136.001 Local Account Mappings

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as <code>username</code>, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.integrity.variety.Created account Created new user account related-to T1136.001 Create Account: Local Account

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1136.001 Local Account
Comments
Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts in Windows AD environments (e.g., event 4720). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
identity_platform Identity Platform technique_scores T1136.001 Local Account
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems and accounts.
References
  1. ['https://cloud.google.com/identity-platform/docs/concepts']