DET0447: T1136.001 Detection Strategy - Local Account Creation Across Platforms
DET0447 is a detection strategy for identifying local account creation associated with ATT&CK technique T1136.001. The business issue is persistence: if an...
Analyst context for executives and security teams
DET0447 is a detection strategy for identifying local account creation associated with ATT&CK technique T1136.001. The business issue is persistence: if an attacker can create or hide a local account on a system or service, they may retain access after passwords are reset or initial access is removed. For security leaders, this is a control-validation problem: confirm whether account-creation events on relevant platforms are logged, reviewed, and tied to incident response decisions.
Executive priority
Prioritize this where local administrator, service, remote support, container, ESXi, Linux, or macOS account management could affect business continuity or recovery confidence. Leaders should ask: can we prove who created local accounts, when, on which assets, and whether creation was authorized? This evidence supports incident scoping, privileged-access governance, compliance readiness, and post-incident assurance that persistence mechanisms were removed.
Technical view
The supplied ATT&CK object has no official description, detection text, tactics, or platforms of its own. Its relationship states that it detects T1136.001 Local Account, a persistence technique involving creation of local accounts, with related platforms listed as Containers, ESXi, Linux, and macOS. SOC and IR teams should validate visibility into local account creation and modification events across those environments, then correlate account creation with asset criticality, privilege level, initiating user or process, change-management records, and nearby suspicious activity.
Likely telemetry
- Local user/account creation events from operating systems or services
- Authentication and authorization logs showing new account use
- Administrative command or process execution telemetry where available
- Privilege or group membership change events
- Container, ESXi, Linux, and macOS audit logs relevant to local identity management
Detection direction
- Baseline expected local account creation by platform, asset role, and administrative workflow.
- Alert on unexpected local account creation, especially on high-value systems or outside approved maintenance windows.
- Correlate new account creation with subsequent logons, privilege changes, remote access, or persistence-related activity.
- Tune for legitimate IT operations, break-glass accounts, service accounts, and automated provisioning to reduce false positives.
- Identify blind spots where local account events are not centrally collected, are overwritten quickly, or are not normalized across Containers, ESXi, Linux, and macOS environments.
Mitigation priorities
- Establish ownership and approval paths for local account creation on relevant systems.
- Restrict who can create local accounts and regularly review local administrators, service users, and unused accounts.
- Centralize and retain local account management logs for SOC and incident response use.
- Use periodic audits to compare actual local accounts against approved inventory or configuration baselines.
- During incidents, include newly created local accounts in containment and eradication checklists.
Analyst notes and limits
This take is based on the detection strategy object DET0447 and its relationship to T1136.001 Local Account. Because the detection strategy itself does not include official detection logic, platform scope, or description, the practical guidance is framed around the related technique’s persistence context and listed related platforms.
No official detection text, object-level platforms, tactics, aliases, labels, or description were supplied for DET0447. Local validation is required to determine actual log sources, event identifiers, retention, account governance workflows, and detection coverage. This summary does not assert active exploitation, attribution, or guaranteed detection.
T1136.001 Detection Strategy - Local Account Creation Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1136.001 | Local Account Sub-technique | This object detects Local Account. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ccae7c4d341… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0447Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.