T1078.003: Local Accounts
| View on MITRE ATT&CK | T1078.003 |
|---|---|
| Tactic(s) | Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Data from MITRE ATT&CK®:
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
User Account Authentication (User Account)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)Logon Session Metadata (Logon Session)
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within itLogon Session Creation (Logon Session)
Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Create local account with admin privileges - MacOS
WinPwn - Loot local Credentials - powerhell kittie
Login as nobody (Linux)
WinPwn - Loot local Credentials - Safetykatz
Enable root account using dsenableroot utility - MacOS
Login as nobody (freebsd)
Create local account with admin privileges
Reactivate a locked/expired account (FreeBSD)
Create local account with admin privileges using sysadminctl utility - MacOS
Create local account (Linux)
Add a new/existing user to the admin group using dseditgroup utility - macOS
Reactivate a locked/expired account (Linux)
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.