Skip to content

DET0407 Detection of Local Account Abuse for Initial Access and Persistence

Item Value
ID DET0407
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1078.003 (Local Accounts)

Analytics

Windows

AN1137

Detects anomalous usage of local accounts to log into a system, especially accounts not typically used interactively or outside business hours.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Mutable Elements
Field Description
TimeWindow Tune for normal business hours to reduce false positives from legitimate after-hours work.
UserContext Define list of legitimate local users for interactive access.

Linux

AN1138

Detects interactive or service logins from local accounts outside expected operational context or at anomalous times.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) auditd:USER_LOGIN USER_LOGIN
User Account Authentication (DC0002) linux:auth sshd login
Mutable Elements
Field Description
TimeWindow Define operational hours or expected login times per host.
HostRole Differentiate expected behavior for server vs. workstation.

macOS

AN1139

Detects abnormal or rare logins via local accounts through system or remote mechanisms such as SSH.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) macos:unifiedlog loginwindow or sshd
Mutable Elements
Field Description
UserContext Restrict expected local users by device owner or role.
TimeWindow Set appropriate bounds based on endpoint usage patterns.