DET0447 T1136.001 Detection Strategy - Local Account Creation Across Platforms

Item	Value
ID	DET0447
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1136.001 (Local Account)

Analytics

Windows

AN1235

Adversary uses built-in tools like ‘net user /add’, PowerShell, or WMI to create a local user. Sequence: Account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).

Log Sources

Data Component	Name	Channel
User Account Creation (DC0014)	WinEventLog:Security	EventCode=4720
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
ParentProcessName	Attackers may use cmd.exe, wscript.exe, or renamed binaries to evade detection
TimeWindow	Define time threshold between process start and user creation event (e.g., 5s–2m)
UserContext	Correlate if process runs under SYSTEM, Administrator, or untrusted account

Linux

AN1236

Local user accounts are created via binaries like ‘useradd’, ‘adduser’, or by editing passwd/shadow. Behavior chain includes execution of user management binaries or modification of user database files.

Log Sources

Data Component	Name	Channel
User Account Creation (DC0014)	auditd:SYSCALL	useradd or adduser executed
File Modification (DC0061)	auditd:SYSCALL	write operation on /etc/passwd or /etc/shadow

Mutable Elements

Field	Description
BinaryPath	Account creation may be scripted via shell scripts, cron jobs, or remote shells
ExecutionSource	Flag if commands are issued from remote sessions (e.g., sshd)

macOS

AN1237

Account creation using ‘dscl -create’ or via GUI tools. Detection involves command execution and file changes to the local directory services database.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	dscl -create
File Modification (DC0061)	macos:unifiedlog	modification to /var/db/dslocal/nodes/Default/users/

Mutable Elements

Field	Description
UsernamePattern	Accounts like ‘svc’, ‘backup’ may blend into legit naming patterns
SessionOrigin	Identify if dscl was run locally, via ARD, or Terminal.app

ESXi

AN1238

Account created using esxcli commands. Sequence includes esxcli execution and successful modification to account DB.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	esxi:vmkernel	esxcli system account add

Mutable Elements

Field	Description
CommandOrigin	Console sessions vs SSH vs vSphere CLI session may affect alert fidelity

Containers

AN1239

Account created in a running container (e.g., via ‘useradd’ or by modifying /etc/passwd directly). Detectable via runtime telemetry (e.g., Falco or eBPF hooks).

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	ebpf:syscalls	useradd or /etc/passwd modified inside container

Mutable Elements

Field	Description
ContainerContext	Distinguish between ephemeral containers and long-lived service containers
NamespaceScope	Determine if account was added inside host, user, or PID namespace

Network Devices

AN1240

Account created via CLI using ‘username’ command or REST API. Detectable through AAA logging or CLI history telemetry.

Log Sources

Data Component	Name	Channel
User Account Creation (DC0014)	networkdevice:syslog	username privilege

Mutable Elements

Field	Description
PrivilegeLevel	Some devices allow unprivileged user creation—adjust based on role risk
RemoteSessionFlag	Creation via Telnet, SSH, or serial console affects detection priority