ID | Name |
---|---|
T1078.001 | Default Accounts |
T1078.002 | Domain Accounts |
T1078.003 | Local Accounts |
T1078.004 | Cloud Accounts |
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
ID | Name | Description |
---|---|---|
G0016 | APT29 |
APT29 has used compromised local accounts to access victims' networks.[1] |
G0050 | APT32 |
APT32 has used legitimate local admin account credentials.[2] |
S0154 | Cobalt Strike |
Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.[3][4] |
S0367 | Emotet |
Emotet can brute force a local admin password, then use it to facilitate lateral movement.[5] |
G0051 | FIN10 |
FIN10 has moved laterally using the Local Administrator account.[6] |
G0125 | HAFNIUM |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.[7] |
G0094 | Kimsuky |
Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[8] |
S0368 | NotPetya |
NotPetya can use valid credentials with PsExec or |
G0116 | Operation Wocao |
Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.[11] |
G0056 | PROMETHIUM |
PROMETHIUM has created admin accounts on a compromised host.[12] |
G0081 | Tropic Trooper |
Tropic Trooper has used known administrator account credentials to execute the backdoor directly.[13] |
G0010 | Turla |
Turla has abused local accounts that have the same password across the victim’s network.[14] |
S0221 | Umbreon |
Umbreon creates valid local users to provide access to the system.[15] |
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management |
Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [16] [17] These audits should check if new local accounts are created that have not be authorized. Implementing LAPS may help prevent reuse of local administrator credentials across a domain.[18] |
ID | Data Source | Data Component |
---|---|---|
DS0028 | Logon Session | Logon Session Creation |
Logon Session Metadata | ||
DS0002 | User Account | User Account Authentication |
Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.