ID | Name |
---|---|
T1078.001 | Default Accounts |
T1078.002 | Domain Accounts |
T1078.003 | Local Accounts |
T1078.004 | Cloud Accounts |
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
ID | Name | Description |
---|---|---|
G0016 | APT29 |
APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.[1] |
G0050 | APT32 |
APT32 has used legitimate local admin account credentials.[2] |
S0154 | Cobalt Strike |
Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.[3][4] |
S0367 | Emotet |
Emotet can brute force a local admin password, then use it to facilitate lateral movement.[5] |
G0051 | FIN10 |
FIN10 has moved laterally using the Local Administrator account.[6] |
G0046 | FIN7 |
FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.[7] |
G0125 | HAFNIUM |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[8] |
G0094 | Kimsuky |
Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[9] |
S0368 | NotPetya |
NotPetya can use valid credentials with PsExec or |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.[12] |
G0056 | PROMETHIUM |
PROMETHIUM has created admin accounts on a compromised host.[13] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.[14] |
G0081 | Tropic Trooper |
Tropic Trooper has used known administrator account credentials to execute the backdoor directly.[15] |
G0010 | Turla |
Turla has abused local accounts that have the same password across the victim’s network.[16] |
S0221 | Umbreon |
Umbreon creates valid local users to provide access to the system.[17] |
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management |
Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [18] [19] Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. For example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required.[20] Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.[21] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0028 | Logon Session | Logon Session Creation |
Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon
|
Logon Session Metadata |
Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
||
DS0002 | User Account | User Account Authentication |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux. Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including |