T1136.001 Local Account
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add
command can be used to create a local account. On macOS systems the dscl -create
command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username
.1
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Item | Value |
---|---|
ID | T1136.001 |
Sub-techniques | T1136.001, T1136.002, T1136.003 |
Tactics | TA0003 |
Platforms | Linux, Network, Windows, macOS |
Version | 1.2 |
Created | 28 January 2020 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0022 | APT3 | APT3 has been known to create or enable accounts, such as support_388945a0 .22 |
G0087 | APT39 | APT39 has created accounts on multiple compromised hosts to perform actions within the network.23 |
G0096 | APT41 | APT41 has created user accounts.18 |
S0274 | Calisto | Calisto has the capability to add its own account to the victim’s machine.7 |
S0030 | Carbanak | Carbanak can create a Windows account.10 |
G0035 | Dragonfly | Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.17 |
S0363 | Empire | Empire has a module for creating a local user if permissions allow.5 |
S0143 | Flame | Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.1314 |
G0117 | Fox Kitten | Fox Kitten has created a local user account with administrator privileges.26 |
S0493 | GoldenSpy | GoldenSpy can create new users on an infected system.8 |
S0394 | HiddenWasp | HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.11 |
S0601 | Hildegard | Hildegard has created a user named “monerodaemon”.12 |
G0094 | Kimsuky | Kimsuky has created accounts with net user .20 |
G0077 | Leafminer | Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.19 |
G0059 | Magic Hound | Magic Hound has created local accounts named help and DefaultAccount on compromised machines.2425 |
S0084 | Mis-Type | Mis-Type may create a temporary user on the system named Lost_{Unique Identifier} .9 |
S0039 | Net | The net user username \password commands in Net can be used to create a local account.3 |
S0192 | Pupy | Pupy can user PowerView to execute “net user” commands and create local system accounts.4 |
S0085 | S-Type | S-Type may create a temporary user on the system named Lost_{Unique Identifier} with the password pond~!@6”{Unique Identifier} .9 |
S0382 | ServHelper | ServHelper has created a new user named “supportaccount”.6 |
S0649 | SMOKEDHAM | SMOKEDHAM has created user accounts.15 |
G0139 | TeamTNT | TeamTNT has created local privileged users on victim machines.21 |
S0412 | ZxShell | ZxShell has a feature to create local user accounts.16 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. |
M1026 | Privileged Account Management | Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
DS0002 | User Account | User Account Creation |
References
-
Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022. ↩
-
Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017. ↩
-
Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. ↩
-
Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. ↩
-
Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩↩
-
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. ↩
-
Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. ↩
-
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. ↩
-
Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. ↩
-
Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017. ↩
-
FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. ↩
-
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. ↩
-
valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. ↩
-
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. ↩
-
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. ↩