Valid Accounts: Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

ID: T1078.003
Sub-technique of:  T1078
Platforms: Containers, ESXi, Linux, Network Devices, Windows, macOS
Version: 1.5
Created: 13 March 2020
Last Modified: 15 April 2025

Procedure Examples

ID Name Description
G0016 APT29

APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.[1]

G0050 APT32

APT32 has used legitimate local admin account credentials.[2]

S0154 Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.[3][4]

S0367 Emotet

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[5]

G0051 FIN10

FIN10 has moved laterally using the Local Administrator account.[6]

G0046 FIN7

FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.[7]

G0125 HAFNIUM

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[8]

G0094 Kimsuky

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[9]

C0049 Leviathan Australian Intrusions

Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.[10]

S1202 LockBit 3.0

LockBit 3.0 can use a compromised local account for lateral movement.[11]

S0368 NotPetya

NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.[12][13]

C0014 Operation Wocao

During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.[14]

G1040 Play

Play has used valid local accounts to gain initial access.[15]

G0056 PROMETHIUM

PROMETHIUM has created admin accounts on a compromised host.[16]

G1041 Sea Turtle

Sea Turtle compromised cPanel accounts in victim environments.[17]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.[18]

G0081 Tropic Trooper

Tropic Trooper has used known administrator account credentials to execute the backdoor directly.[19]

G0010 Turla

Turla has abused local accounts that have the same password across the victim’s network.[20]

S0221 Umbreon

Umbreon creates valid local users to provide access to the system.[21]

G1047 Velvet Ant

Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.[22]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Enable multi-factor authentication (MFA) for local accounts to add an extra layer of protection against credential theft and misuse. MFA can be implemented using methods like mobile-based authenticators or hardware tokens, even in environments that do not rely on domain controllers or cloud services. This additional security measure can help reduce the risk of adversaries gaining unauthorized access to local systems and resources.

M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

M1026 Privileged Account Management

Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [23] [24] Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

For example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required.[25] Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.[26]

M1018 User Account Management

Enforce user account management practices for local accounts to limit access and remove inactive or unused accounts. By doing so, you reduce the attack surface available to adversaries and prevent unauthorized access to local systems.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

Analytic 1 - Remote Desktop Logon

(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"

Logon Session Metadata

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

DS0002 User Account User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux.

Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including /var/log/secure.

References

  1. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  2. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  5. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  6. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
  7. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  8. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
  9. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  10. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  11. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  12. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  13. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  3. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  4. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  5. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  6. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  7. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  8. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  9. Sygnia Team. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response. Retrieved March 14, 2025.
  10. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  11. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
  12. Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.
  13. Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020.