Home/ MITRE Matrix/ Persistence/ T1136.001

T1136.001Local Account

T1136.001 — Local Account is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 17 detection use cases covering it and 1 threat-intel article citing it.

Persistence

View on the matrix → Filter Detection Library MITRE official spec ↗

17Use cases

1Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1136 · Create Account

Use cases covering this technique (17)

[WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) Internal exploit · alerting DSPDD [WEEKLY] Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop Internal install · alerting DSΣPDD Cisco ASA - New Local User Account Created ESCU actions · hunting P ESXi Account Modified ESCU actions · hunting P Detect New Local Admin account ESCU actions · alerting P Linux Add User Account ESCU actions · hunting P Linux Auditd Add User Account ESCU actions · hunting P Linux Auditd Add User Account Type ESCU actions · hunting P Short Lived Windows Accounts ESCU actions · alerting P Windows Create Local Account ESCU actions · hunting P Windows Create Local Administrator Account Via Net ESCU actions · hunting P Windows ESX Admins Group Creation Security Event ESCU actions · alerting P Windows ESX Admins Group Creation via Net ESCU actions · alerting P Windows ESX Admins Group Creation via PowerShell ESCU actions · alerting P Windows Privileged Group Modification ESCU actions · alerting P Create local admin accounts using net exe ESCU actions · alerting P [LLM] Ivanti Sentry unauthenticated admin account creation (CVE-2026-10523) Bespoke install · alerting DSPDDCS

Articles citing this technique (1)

crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61