Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1136.001 | Local Account | |
| AC-20 | Use of External Systems | Protects | T1136.001 | Local Account | |
| AC-3 | Access Enforcement | Protects | T1136.001 | Local Account | |
| AC-5 | Separation of Duties | Protects | T1136.001 | Local Account | |
| AC-6 | Least Privilege | Protects | T1136.001 | Local Account | |
| CM-5 | Access Restrictions for Change | Protects | T1136.001 | Local Account | |
| CM-6 | Configuration Settings | Protects | T1136.001 | Local Account | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1136.001 | Local Account | |
| IA-5 | Authenticator Management | Protects | T1136.001 | Local Account | |
| SI-4 | System Monitoring | Protects | T1136.001 | Local Account | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1136.001 | Local Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1136.001 | Local Account |
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1136.001 | Local Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1136.001 | Local Account |
Comments
The Azure Sentinel Hunting "New User created on SQL Server" query can detect a specific type of potentially malicious local account creation.
The following Azure Sentinel Analytics queries can identify potentially malicious local account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.
References
|