T1136.001: T1136.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 28/01/2020 14:50 · Modified 20/04/2026 12:52

Essential information

MITRE technique ID: T1136.001
Confidence: 100/100
Revoked: No
Published: 28/01/2020 14:50
Modified: 20/04/2026 12:52
Author / Source: The MITRE Corporation

Aliases

Local Account

Platforms

windows macos linux Network Devices Containers ESXi

Description

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows `net user /add` command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the `dscl -create` command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `username`, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security) Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News) Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Kill chain phases

Kill chain	Phase
mitre-attack	persistence

Marking (TLP)

External references

cisco_username_cmd
Microsoft User Creation Event
mitre-attack (T1136.001)
Cyber Security News
Kubernetes Service Accounts Security

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

ROOTBOY uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ischhfd83 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TGR-CRI-0045 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Helldown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 uses ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackSuit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 27

Vidar uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ScreenConnect uses

Family
RedLine Stealer uses

Family The MITRE Corporation Confidence 100

[RedLine Stealer](https://attack.mitre.org/software/S1240) is an information-stealer malware variant first identified in 2020.(Citation: ESET RedLine Stealer November 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023) [RedLine Stealer](https://attack.mitre.org/software/S1240)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TrojanSpy:MSIL/RacoonStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackSuit uses

Family
Redline uses

Family
Amadey - S1025 uses

Family
Wedgecut uses
GoldenSpy uses
AteraAgent uses

Family
Rhysida uses

Family

← Previous

Page / 6

1–12 of 70

Prinz Eugen ransomware: a deep dive into a … related

AlienVault Confidence 100 17 MITREs 1 Malware 16 IOCs 14 Observables 1 APT
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Uptick in Bomgar RMM Exploitation related

1 CVE 18 MITREs 6 Malwares 5 Observables
Unveiling the Weaponized Web Shell EncystPHP related

3 CVEs 15 MITREs 1 Malware 5 Observables 1 APT
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for … related

10 MITREs 80 Observables 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
Exploitation of Leaked Machine Keys by Initial Access … related

12 MITREs 2 Malwares 21 Observables 1 APT
Custom Arsenal Developed to Target Multiple Industries related

9 CVEs 8 MITREs 5 Malwares 185 Observables 1 APT
New Ransomware Operator Exploits Fortinet Vulnerability Duo related

17 MITREs 2 Malwares 23 Observables 1 APT
Zyxel vulnerability exploited by 'Helldown' ransomware group related

16 MITREs 5 Malwares 1 APT

← Previous

Page / 2

1–12 of 17

Vulnerabilities (CVE) (17)

CVE-2024-29868 targets

9.1 Critical

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker …

Attack vector: NETWORK
Published: 24/06/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-4966 KEV targets

9.4 Critical

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …

Attack vector: Network
Published: 18/10/2023
Modified: 21/12/2025

CVE-2025-64328 KEV targets

8.6 High

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore …

Attack vector: Network
Complexity: Low
Published: 07/11/2025
Modified: 18/06/2026

CWE-78 Awaiting Analysis

CVE-2021-45461 targets

9.8 Critical

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as …

Attack vector: NETWORK
Published: 22/12/2021
Modified: 28/01/2026

CVE-2024-51567 KEV targets

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-26118

targets

← Previous

Page / 2

1–12 of 17

T1136 subtechnique-of

Create Account MITRE

Tool (3)

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…

Course Of Action (2)

Privileged Account Management mitigates
Multi-factor Authentication mitigates

Contact About Legal notice Privacy policy Terms of use