Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) | Attack Pattern | Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) | Attack Pattern | 1 |