T1136.001 Local Account Mappings

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1136.001 Local Account
AC-20 Use of External Systems Protects T1136.001 Local Account
AC-3 Access Enforcement Protects T1136.001 Local Account
AC-5 Separation of Duties Protects T1136.001 Local Account
AC-6 Least Privilege Protects T1136.001 Local Account
CM-5 Access Restrictions for Change Protects T1136.001 Local Account
CM-6 Configuration Settings Protects T1136.001 Local Account
IA-2 Identification and Authentication (organizational Users) Protects T1136.001 Local Account
IA-5 Authenticator Management Protects T1136.001 Local Account
SI-4 System Monitoring Protects T1136.001 Local Account
SI-7 Software, Firmware, and Information Integrity Protects T1136.001 Local Account
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1136.001 Local Account
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1136.001 Local Account
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1136.001 Local Account
azure_sentinel Azure Sentinel technique_scores T1136.001 Local Account