adpare
72 lines
4.4 KiB
JSON
72 lines
4.4 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--d5c547ec-9fd6-489c-97cf-33300b41534d",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762",
|
|
"created": "2020-01-28T13:50:22.506Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1136/001",
|
|
"external_id": "T1136.001"
|
|
},
|
|
{
|
|
"source_name": "cisco_username_cmd",
|
|
"description": "Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.",
|
|
"url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630"
|
|
},
|
|
{
|
|
"source_name": "Cyber Security News",
|
|
"description": "Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.",
|
|
"url": "https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/"
|
|
},
|
|
{
|
|
"source_name": "Kubernetes Service Accounts Security",
|
|
"description": "Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.",
|
|
"url": "https://kubernetes.io/docs/concepts/security/service-accounts/"
|
|
},
|
|
{
|
|
"source_name": "Microsoft User Creation Event",
|
|
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.",
|
|
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T17:48:51.903Z",
|
|
"name": "Local Account",
|
|
"description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the <code>dscl -create</code> command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nAdversaries may also create new local accounts on network firewall management consoles \u2013 for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "persistence"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_contributors": [
|
|
"Austin Clark, @c2defense"
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_domains": [
|
|
"enterprise-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": true,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Containers",
|
|
"ESXi",
|
|
"Linux",
|
|
"macOS",
|
|
"Network Devices",
|
|
"Windows"
|
|
],
|
|
"x_mitre_version": "1.5"
|
|
}
|
|
]
|
|
} |