title: Local Account (T1136.001)
id: df00tech-t1136-001
status: experimental
description: "Adversaries may create a local account to maintain persistent access to victim systems. Local accounts can be created using built-in OS commands such as net user /add (Windows), useradd or adduser (Linux), or dscl -create (macOS). Adversaries including Wizard Spider, APT5, Fox Kitten, TeamTNT, and FIN13 have used this technique to establish secondary access that survives credential rotation and does not require persistent remote access tools. Created accounts are often added to the local Administrators group to maximize their utility. Common naming patterns observed in the wild include service-like names (supportaccount, HelpAssistant) designed to blend with legitimate accounts."
references:
  - https://attack.mitre.org/techniques/T1136/001/
  - https://df00tech.com/detections/T1136.001
author: df00tech
date: 2026/04/18
tags:
  - attack.t1136.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk or system administrators creating local service accounts for new application deployments or onboarding workflows
  - "Software installers (e.g., SQL Server, IIS, application suites) that create dedicated local service accounts during setup"
  - "Configuration management tooling (Ansible, Chef, Puppet, DSC) that enforces a local account policy and creates or recreates accounts as part of a run"
  - Domain join workflows that briefly create local accounts before applying domain policy
  - Automated provisioning systems creating local break-glass administrator accounts per a documented runbook
level: high