EXPLORE

← Back to Explore

T1078.003

Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse...

LinuxmacOSWindowsContainersNetwork DevicesESXi

23

Detections

3

Sources

12

Threat Actors

BY SOURCE

13elastic5sigma5splunk_escu

PROCEDURES (18)

Privilege4 detections

Auto-extracted: 4 detections for privilege

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (12)

APT29 APT32 FIN10 FIN7 HAFNIUM Kimsuky Play PROMETHIUM Sea Turtle Tropic Trooper Turla Velvet Ant

DETECTIONS (23)

Account Discovery Command via SYSTEM Account

Admin User Remote Logon

Attempt to Enable the Root Account

Cisco ASA - New Local User Account Created

Cisco ASA - User Privilege Level Change

Detect Excessive User Account Lockouts

Mounting Hidden or WebDav Remote Shares

Potential Admin Group Account Addition

Potential Hidden Local User Account Creation

Potential password in username

Potential Suspicious DebugFS Root Device Access

Rare User Logon

Root Account Enable Via Dsenableroot

Short Lived Windows Accounts

Spike in Successful Logon Events from a Source IP

Unusual Interactive Shell Launched from System User

Unusual Login via System User

Unusual Windows User Privilege Elevation Activity

Unusual Windows Username

User Added To Admin Group Via Dscl

User Added To Admin Group Via DseditGroup

User Added To Admin Group Via Sysadminctl

User Added to the Admin Group