Skip to content

T1078.003 Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Item Value
ID T1078.003
Sub-techniques T1078.001, T1078.002, T1078.003, T1078.004
Tactics TA0005, TA0003, TA0004, TA0001
Platforms Containers, Linux, Windows, macOS
Permissions required Administrator, User
Version 1.3
Created 13 March 2020
Last Modified 13 April 2023

Procedure Examples

ID Name Description
G0050 APT32 APT32 has used legitimate local admin account credentials.15
S0154 Cobalt Strike Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.67
S0367 Emotet Emotet can brute force a local admin password, then use it to facilitate lateral movement.4
G0051 FIN10 FIN10 has moved laterally using the Local Administrator account.14
G0125 HAFNIUM HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.13
G0094 Kimsuky Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.10
S0368 NotPetya NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.89
C0014 Operation Wocao During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.17
G0056 PROMETHIUM PROMETHIUM has created admin accounts on a compromised host.11
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used compromised local accounts to access victims’ networks.18
G0081 Tropic Trooper Tropic Trooper has used known administrator account credentials to execute the backdoor directly.16
G0010 Turla Turla has abused local accounts that have the same password across the victim’s network.12
S0221 Umbreon Umbreon creates valid local users to provide access to the system.5

Mitigations

ID Mitigation Description
M1027 Password Policies Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. 1 2 These audits should check if new local accounts are created that have not be authorized. Implementing LAPS may help prevent reuse of local administrator credentials across a domain.3

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0002 User Account User Account Authentication

References


  1. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. 

  2. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016. 

  3. Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020. 

  4. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. 

  5. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018. 

  6. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  7. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  8. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  9. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. 

  10. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  11. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  12. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  13. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. 

  14. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  15. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  16. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  17. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  18. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.