T1078.003 · defense-evasion, persistence, privilege-escalation, initial-access · 10 actors · 7 correlated reports

Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.

Observed actors

Kimsuky
G0094 APT32
G0050 HAFNIUM
G0125 FIN7
G0046 Tropic Trooper
G0081 Turla
G0010 APT29
G0016 Play
G1040 PROMETHIUM
G0056 FIN10
G0051

Correlated CTI and IR reports

CTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mention CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention Executive Summary
Israel Threat Actors CTI · explicit report mention Pioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mention CTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mention CTI Research Sandworm APT44
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research