Find sigma rule
Attack: Create Account: Local Account
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add
command can be used to create a local account. On macOS systems the dscl -create
command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username
, or to Kubernetes clusters using the kubectl
utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
MITRE
Tactic
- persistence
technique
- T1136.001
Test : Create a user account on a MacOS system
OS
- macos
Description:
Creates a user on a MacOS system with dscl
Executor
bash