MITRE ATT&CK Technique
Description
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the <code>dscl -create</code> command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-28T13:50:22.506Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create a local account to maintain access to '
'victim systems. Local accounts are those configured by an '
'organization for use by users, remote support, services, or '
'for administration on a single system or service. \n'
'\n'
'For example, with a sufficient level of access, the Windows '
'<code>net user /add</code> command can be used to create a '
'local account. In Linux, the `useradd` command can be used, '
'while on macOS systems, the <code>dscl -create</code> command '
'can be used. Local accounts may also be added to network '
'devices, often via common [Network Device '
'CLI](https://attack.mitre.org/techniques/T1059/008) commands '
'such as <code>username</code>, to ESXi servers via `esxcli '
'system account add`, or to Kubernetes clusters using the '
'`kubectl` utility.(Citation: cisco_username_cmd)(Citation: '
'Kubernetes Service Accounts Security)\n'
'\n'
'Adversaries may also create new local accounts on network '
'firewall management consoles – for example, by exploiting a '
'vulnerable firewall management system, threat actors may be '
'able to establish super-admin accounts that could be used to '
'modify firewall rules and gain further access to the '
'network.(Citation: Cyber Security News)\n'
'\n'
'Such accounts may be used to establish secondary credentialed '
'access that do not require persistent remote access tools to '
'be deployed on the system.',
'external_references': [{'external_id': 'T1136.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1136/001'},
{'description': 'Cisco. (2023, March 6). username - '
'Cisco IOS Security Command '
'Reference: Commands S to Z. '
'Retrieved July 13, 2022.',
'source_name': 'cisco_username_cmd',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630'},
{'description': 'Kaaviya. (n.d.). SuperBlack Actors '
'Exploiting Two Fortinet '
'Vulnerabilities to Deploy '
'Ransomware. Retrieved September 22, '
'2025.',
'source_name': 'Cyber Security News',
'url': 'https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/'},
{'description': 'Kubernetes. (n.d.). Service '
'Accounts. Retrieved July 14, 2023.',
'source_name': 'Kubernetes Service Accounts Security',
'url': 'https://kubernetes.io/docs/concepts/security/service-accounts/'},
{'description': 'Lich, B., Miroshnikov, A. (2017, '
'April 5). 4720(S): A user account '
'was created. Retrieved June 30, '
'2017.',
'source_name': 'Microsoft User Creation Event',
'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720'}],
'id': 'attack-pattern--635cbe30-392d-4e27-978e-66774357c762',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:51.903Z',
'name': 'Local Account',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Austin Clark, @c2defense'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux',
'macOS',
'Windows',
'Network Devices',
'Containers',
'ESXi'],
'x_mitre_version': '1.5'}