Local Account

Information

• Name: Local Account

• ID: T1136.001

• Tactics: TA0003

• Technique: T1136

Introduction

Local Account (T1136.001) is a sub-technique within the MITRE ATT&CK framework under the broader technique "Create Account" (T1136). Attackers leverage this sub-technique by creating or manipulating local user accounts on compromised systems to maintain persistence, escalate privileges, or evade detection. Local accounts offer attackers a convenient and robust method to access compromised systems without raising suspicion, as these accounts blend into normal administrative or user behavior.

Deep Dive Into Technique

Creating or manipulating local accounts involves several technical methods and procedures:

• Built-in Operating System Commands and Utilities:

  • Windows:

    • net user command: Attackers commonly use this command to create new accounts or modify existing ones.

      Copy

      net user attacker Password123! /add
      net localgroup administrators attacker /add

    • PowerShell cmdlets:

      Copy

      New-LocalUser -Name attacker -Password (ConvertTo-SecureString "Password123!" -AsPlainText -Force)
      Add-LocalGroupMember -Group "Administrators" -Member attacker

  • Linux/Unix:

    • useradd, adduser, and passwd commands:

      Copy

      useradd attacker
      passwd attacker
      usermod -aG sudo attacker

• Manipulation of Existing Accounts:

  • Attackers may also modify existing legitimate accounts by changing passwords, adjusting privileges, or enabling disabled accounts.

  • For Windows, this could mean enabling the built-in Administrator account:

    Copy

    net user Administrator /active:yes

• Persistence Mechanisms:

  • Attackers frequently use local accounts as persistence mechanisms, ensuring continued access even after system reboots or remediation attempts.

  • Local accounts can be hidden or disguised by attackers to evade detection, such as renaming accounts to resemble legitimate administrative accounts.

• Privilege Escalation:

  • Attackers often assign administrative privileges to newly created or compromised local accounts, enabling them to escalate privileges and gain full control over the system.

When this Technique is Usually Used

Attackers typically leverage local accounts at various stages of an attack lifecycle, including:

• Persistence Stage:

  • Establishing long-term access to compromised systems.

  • Ensuring persistence even after initial malware removal or remediation efforts.

• Privilege Escalation Stage:

  • Creating or modifying local accounts with administrative privileges to escalate privileges and obtain elevated access.

• Lateral Movement Stage:

  • Utilizing local accounts to authenticate and move laterally across other systems within the same network if password reuse or shared account credentials exist.

• Defense Evasion Stage:

  • Creating hidden or disguised accounts to blend in with legitimate administrative or user accounts, making detection more difficult.

How this Technique is Usually Detected

Detection of local account creation or modification typically involves monitoring and alerting on specific events, behaviors, and indicators of compromise (IoCs):

• Event Log Monitoring:

  • Windows Security Event Logs:

    • Event ID 4720: "A user account was created."

    • Event ID 4722: "A user account was enabled."

    • Event ID 4738: "A user account was changed."

    • Event ID 4728: "A member was added to a security-enabled global group."

    • Event ID 4732: "A member was added to a security-enabled local group."

  • Linux/Unix Audit Logs:

    • /var/log/auth.log or /var/log/secure capturing account creation commands (useradd, passwd, usermod).

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions can identify suspicious account creation or modification by monitoring command-line activities and system API calls.

• SIEM (Security Information and Event Management) Systems:

  • Centralized log aggregation and correlation rules to detect suspicious patterns of account creation or modification.

• Behavioral Analytics:

  • Detection of abnormal account creation patterns or unusual administrative activity, such as account creation outside normal working hours or by unexpected user accounts.

• Indicators of Compromise (IoCs):

  • Presence of suspicious accounts (e.g., accounts with unusual naming conventions or privileges).

  • Accounts created or modified shortly after known malicious activity or compromise events.

  • Accounts with no legitimate business purpose or that do not conform to organizational naming standards.

Why it is Important to Detect This Technique

Detecting unauthorized local account creation or modification is critical due to the following impacts and considerations:

• Persistence and Long-term Access:

  • Attackers commonly use local accounts to maintain persistent access, allowing them to continue malicious activities undetected over extended periods.

• Privilege Escalation and System Control:

  • Unauthorized local accounts can grant attackers administrative privileges, enabling full system control, data exfiltration, and further lateral movement.

• Increased Attack Surface:

  • Unauthorized accounts expand the attack surface and can be leveraged for additional attacks, lateral movement, and exploitation within the network.

• Difficulty of Post-Incident Remediation:

  • Failure to detect and remediate unauthorized local accounts early significantly complicates incident response, remediation, and recovery efforts.

• Compliance and Regulatory Risks:

  • Unauthorized local accounts can lead to regulatory non-compliance, audit failures, and legal consequences due to compromised data security and integrity.

Early detection and remediation of unauthorized local accounts significantly reduces the risk of long-term compromise, data breaches, and operational disruption.

Examples

Real-world examples of attacker usage of local accounts include:

• APT29 (Cozy Bear):

  • Known for creating local user accounts to maintain persistence on compromised systems.

  • Utilized PowerShell commands and Windows utilities (net user) to create local accounts with administrative privileges, enabling persistent access and lateral movement.

• FIN7:

  • Created local accounts with administrative privileges on compromised Windows systems to retain persistent access and facilitate lateral movement.

  • Leveraged built-in Windows commands (net user) and PowerShell scripts to automate account creation and privilege assignment.

• Carbanak Group:

  • Created and manipulated local accounts on compromised banking systems to maintain persistent access, escalate privileges, and facilitate financial fraud activities.

  • Used standard Windows utilities and scripts to create hidden or disguised local accounts, making detection challenging.

• Operation Cloud Hopper (APT10):

  • Created local accounts on compromised cloud service provider systems to maintain persistence and facilitate lateral movement across client networks.

  • Leveraged Linux commands (useradd, passwd) to create local accounts and assign administrative privileges, enabling ongoing access and control.

These examples illustrate the widespread adoption of local account creation and manipulation by sophisticated threat actors across multiple industries and attack scenarios. Early detection, monitoring, and response to unauthorized local account activity are essential components of effective cybersecurity defense strategies.