Description
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the useradd command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username, to ESXi servers via esxcli system account add, or to Kubernetes clusters using the kubectl utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Platforms
Mitigations (2)
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts.
Privileged Account ManagementM1026
Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has created local administrator accounts to maintain persistence in compromised networks.(Citat... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has created Local Administrator accounts to maintain access to systems with short-cycle credential rotat... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has created accounts on victims, including administrator accounts, some of which appeared to be tai... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten Dece... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has created user accounts.(Citation: FireEye APT41 Aug 2019) |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has created MS-SQL local accounts in a compromised network.(Citation: Sygnia Elephant Beetle Jan 2022) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has created accounts with <code>net user</code>.(Citation: KISA Operation Muzabi) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has created local accounts named `help` and `DefaultAccount` on compromised machines.(Citation: D... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has created local system accounts and has added the accounts to privileged groups.(Citation: Ma... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citat... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has created accounts on multiple compromised hosts to perform actions within the network.(Citation: Bit... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) created a local account on victim machines to maintain access.(Citation: Symantec Daggerfly 2023) |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to create or enable accounts, such as <code>support_388945a0</code>.(Citation: aptsim) |
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S0394 | HiddenWasp | Malware | [HiddenWasp](https://attack.mitre.org/software/S0394) creates a user account as a means to provide initial persistence to the compromised machine.(Cit... |
| S0493 | GoldenSpy | Malware | [GoldenSpy](https://attack.mitre.org/software/S0493) can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire) |
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has created user accounts.(Citation: FireEye SMOKEDHAM June 2021) |
| S0143 | Flame | Malware | [Flame](https://attack.mitre.org/software/S0143) can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate ri... |
| S0382 | ServHelper | Malware | [ServHelper](https://attack.mitre.org/software/S0382) has created a new user named "supportaccount".(Citation: Proofpoint TA505 Jan 2019) |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub P... |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!... |
| S0039 | Net | Tool | The <code>net user username \password</code> commands in [Net](https://attack.mitre.org/software/S0039) can be used to create a local account.(Citatio... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) creates a local user account, <code>SafeMode</code>, via <code>net user</code> commands.(Citation:... |
| S0084 | Mis-Type | Malware | [Mis-Type](https://attack.mitre.org/software/S0084) may create a temporary user on the system named `Lost_{Unique Identifier}`.(Citation: Cylance Dust... |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) can create a Windows account.(Citation: FireEye CARBANAK June 2017) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware) |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014) |
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) has the capability to add its own account to the victim's machine.(Citation: Symantec Calisto July ... |
References
- Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.
- Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.
- Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.
- Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.
Frequently Asked Questions
What is T1136.001 (Local Account)?
T1136.001 is a MITRE ATT&CK technique named 'Local Account'. It belongs to the Persistence tactic(s). Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on...
How can T1136.001 be detected?
Detection of T1136.001 (Local Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1136.001?
There are 2 documented mitigations for T1136.001. Key mitigations include: Multi-factor Authentication, Privileged Account Management.
Which threat groups use T1136.001?
Known threat groups using T1136.001 include: Wizard Spider, APT5, Dragonfly, TeamTNT, Fox Kitten, APT41, FIN13, Kimsuky.