# T1078.003 Local Accounts

-----------------------------------------------------------------------

## Technique Description

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. 

## Technique Detection

Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Persistence

  * Privilege-Escalation

  * Initial-Access

### Platforms:

  * Linux

  * macOS

  * Windows

  * Containers

### Adversary Required Permissions:

  * Administrator

  * User

### Data Sources:

  * **User Account:** User Account Authentication

  * **Logon Session:** Logon Session Creation

  * **Logon Session:** Logon Session Metadata

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)| 
| Stolen Pencil | [Stolen Pencil](https://attack.mitre.org/groups/G0086) has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. (Citation: Netscout Stolen Pencil Dec 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017)| 
| FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1078/003)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Initial Access/T1078.003 Local Accounts.ipynb" target="_blank">Primary Version</a>