Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the
net user /add command can be used to create a local account. On macOS systems the
dscl -create command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Use multi-factor authentication for user and privileged accounts.
|M1026||Privileged Account Management||
Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd , and dscl -create
Monitor newly executed processes associated with account creation, such as net.exe
|DS0002||User Account||User Account Creation||
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).