T1136.001SubTechniquepersistenceagent-callable

T1136.001Local Account

Sub-technique of T1136

Platforms: Linux · macOS · Windows · Network · Containers

ATT&CK version: 14.1

What it is

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1136/001
  2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630
  3. https://kubernetes.io/docs/concepts/security/service-accounts/
  4. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.