Detection of Local Account Abuse for Initial Access and Persistence

ID: DET0407

Domains: Enterprise

Analytics: AN1137, AN1138, AN1139

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Live Version

Analytics

Detects anomalous usage of local accounts to log into a system, especially accounts not typically used interactively or outside business hours.

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672

Field	Description
TimeWindow	Tune for normal business hours to reduce false positives from legitimate after-hours work.
UserContext	Define list of legitimate local users for interactive access.

Detects interactive or service logins from local accounts outside expected operational context or at anomalous times.

Data Component	Name	Channel
Logon Session Metadata (DC0088)	auditd:USER_LOGIN	USER_LOGIN
User Account Authentication (DC0002)	linux:auth	sshd login

Field	Description
TimeWindow	Define operational hours or expected login times per host.
HostRole	Differentiate expected behavior for server vs. workstation.

Detects abnormal or rare logins via local accounts through system or remote mechanisms such as SSH.

Data Component	Name	Channel
Logon Session Metadata (DC0088)	macos:unifiedlog	loginwindow or sshd

Field	Description
UserContext	Restrict expected local users by device owner or role.
TimeWindow	Set appropriate bounds based on endpoint usage patterns.