Description
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
Privilege Escalation Guide
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.
For example, audit th
Multi-factor AuthenticationM1032
Enable multi-factor authentication (MFA) for local accounts to add an extra layer of protection against credential theft and misuse. MFA can be implemented using methods like mobile-based authenticators or hardware tokens, even in environments that do not rely on domain controllers or cloud services. This additional security measure can help reduce the risk of adversaries gaining unauthorized acce
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
User Account ManagementM1018
Enforce user account management practices for local accounts to limit access and remove inactive or unused accounts. By doing so, you reduce the attack surface available to adversaries and prevent unauthorized access to local systems.
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used a tool called GREASE to add a Windows admin account in order to allow them continued access ... |
| G0056 | PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020) |
| G0051 | FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017) |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used valid local accounts to gain initial access.(Citation: Trend Micro Ransomware Spotlight Play J... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017) |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) compromised cPanel accounts in victim environments.(Citation: Hunt Sea Turtle 2024) |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used known administrator account credentials to execute the backdoor directly.(Citation: T... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Excha... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used compromised credentials for access as SYSTEM on Exchange servers.(Citation: Microsoft Ransomwar... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) accessed vulnerable Cisco switch devices using accounts with administrator privileges.(Citation: S... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organizat... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutc... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) can brute force a local admin password, then use it to facilitate lateral movement.(Citation: Malwar... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use known credentials to run commands and spawn processes as a local user account.(Citati... |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) can use valid credentials with [PsExec](https://attack.mitre.org/software/S0029) or <code>wmic</co... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can use a compromised local account for lateral movement.(Citation: Joint Cybersecurity Advisor... |
| S0221 | Umbreon | Malware | [Umbreon](https://attack.mitre.org/software/S0221) creates valid local users to provide access to the system.(Citation: Umbreon Trend Micro) |
Related CWE Weaknesses
Frequently Asked Questions
What is T1078.003 (Local Accounts)?
T1078.003 is a MITRE ATT&CK technique named 'Local Accounts'. It belongs to the Stealth, Persistence, Privilege Escalation, Initial Access tactic(s). Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an o...
How can T1078.003 be detected?
Detection of T1078.003 (Local Accounts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1078.003?
There are 4 documented mitigations for T1078.003. Key mitigations include: Privileged Account Management, Multi-factor Authentication, Password Policies, User Account Management.
Which threat groups use T1078.003?
Known threat groups using T1078.003 include: Kimsuky, PROMETHIUM, FIN10, Play, APT32, Sea Turtle, Tropic Trooper, HAFNIUM.