Local Accounts

Information

• Name: Local Accounts

• ID: T1078.003

• Tactics: , , ,

• Technique:

Introduction

Local Accounts [T1078.003] is a sub-technique within the MITRE ATT&CK framework under the "Valid Accounts" technique (T1078). It involves adversaries obtaining and using credentials for local user accounts to gain initial access, maintain persistence, escalate privileges, or execute lateral movement within a target environment. Local accounts are those that are created and managed locally on a specific host, rather than centrally managed accounts such as domain accounts.

Deep Dive Into Technique

Adversaries leverage local account credentials to authenticate directly to a targeted system. These local accounts may have varying levels of privileges, ranging from standard user accounts to highly privileged administrative accounts. Attackers commonly exploit local accounts through the following methods:

• Credential Theft and Dumping:

  • Extracting credentials from memory using tools like Mimikatz or LSASS dumps.

  • Harvesting credentials stored in configuration files, scripts, or registry keys.

  • Capturing credentials through keylogging or credential phishing.

• Brute Force and Password Guessing:

  • Conducting brute force attacks against local accounts using automated tools such as Hydra, CrackMapExec, or Medusa.

  • Performing dictionary attacks using common or leaked passwords.

• Exploitation of Default or Weak Local Accounts:

  • Exploiting default local accounts (e.g., Administrator account with default credentials).

  • Targeting accounts with weak or predictable passwords.

• Privilege Escalation and Persistence:

  • Using compromised local accounts to escalate privileges (e.g., exploiting misconfigured permissions or leveraging local administrator privileges).

  • Creating additional local accounts with administrative rights for persistence and future access.

Attackers may leverage these local accounts to:

• Execute commands and scripts remotely or locally.

• Move laterally within the network by authenticating to additional systems.

• Maintain ongoing access to compromised systems, even after password resets or account lockouts.

When this Technique is Usually Used

Local account compromise typically occurs across multiple stages of an attack lifecycle, including:

• Initial Access:

  • Attackers may exploit weak or default local account credentials exposed externally (e.g., RDP, SSH).

• Persistence:

  • Creating backdoor local accounts or leveraging existing local accounts to maintain long-term access.

• Privilege Escalation:

  • Utilizing local accounts with administrative privileges to escalate from standard user accounts.

• Defense Evasion:

  • Using legitimate local credentials to blend in with normal administrative activity, avoiding suspicion.

• Lateral Movement:

  • Authenticating to other systems within the network using compromised local account credentials.

How this Technique is Usually Detected

Detection of local account misuse can be challenging but achievable through a combination of proactive monitoring, logging, and anomaly detection techniques:

• Monitoring Authentication Logs:

  • Analyze Windows Security Event Logs (Event ID 4624, 4625) for unusual or failed login attempts.

  • Monitor Linux/Unix authentication logs (/var/log/auth.log or /var/log/secure) for suspicious login activity.

• Behavioral Analytics:

  • Use User and Entity Behavior Analytics (UEBA) solutions to detect deviations from normal authentication patterns, such as logins during unusual hours, from unusual locations, or using uncommon methods.

• Endpoint Detection and Response (EDR) Tools:

  • Detect the execution of credential dumping tools (e.g., Mimikatz).

  • Identify suspicious local account creation or modification events.

• File Integrity Monitoring (FIM):

  • Monitor critical system files and directories for unauthorized changes or suspicious file access patterns.

• Password Auditing and Policy Enforcement:

  • Regularly audit local accounts for weak, default, or compromised passwords.

  • Implement password complexity policies and enforce regular password rotation.

Indicators of Compromise (IoCs) include:

• Unusual local account creation or modification events.

• Frequent failed login attempts followed by successful authentication.

• Authentication from unexpected IP addresses or locations.

• Execution artifacts from credential dumping tools (e.g., suspicious binaries, PowerShell scripts).

Why it is Important to Detect This Technique

Detecting unauthorized use of local accounts is crucial due to the significant potential impacts on system and network security:

• Persistence and Long-term Access:

  • Attackers leveraging local accounts can maintain persistent access, even after initial remediation efforts.

• Privilege Escalation and Control:

  • Compromised local administrator accounts provide attackers with elevated privileges, enabling unrestricted access, modification, or deletion of critical data.

• Lateral Movement:

  • Attackers can use local account credentials to move laterally, expanding the scope of compromise and increasing the difficulty of remediation.

• Data Exfiltration and Espionage:

  • Attackers with local account access can exfiltrate sensitive data, intellectual property, or personal information, leading to financial loss, regulatory penalties, and reputational damage.

• Operational Disruption:

  • Unauthorized local account access can disrupt business operations through sabotage, ransomware deployment, or denial-of-service attacks.

Early detection of local account compromise significantly reduces the risk of extensive damage, limits attacker dwell time, and enables rapid containment and remediation.

Examples

Real-world examples of attacks leveraging local accounts include:

• NotPetya Attack (2017):

  • Attackers used credential harvesting tools such as Mimikatz to extract local account credentials.

  • Leveraged local administrator credentials to propagate rapidly across networks, encrypting data and causing widespread operational disruption.

• SamSam Ransomware Attacks (2016-2018):

  • Attackers exploited weak local account credentials exposed via Remote Desktop Protocol (RDP) to gain initial access.

  • Utilized compromised local administrator accounts to deploy ransomware on targeted systems.

• FIN7 Cybercrime Group:

  • Conducted targeted attacks against retail and hospitality sectors, utilizing credential dumping tools and brute-force attacks to compromise local accounts.

  • Leveraged local account credentials for lateral movement and persistence, ultimately exfiltrating sensitive customer data.

Common tools and methods observed in these scenarios:

• Credential dumping tools: Mimikatz, LaZagne, gsecdump.

• Brute-force and password spraying tools: Hydra, CrackMapExec, Medusa.

• Remote administration tools (RATs): PsExec, Remote Desktop Protocol (RDP), SSH.

Impacts observed in these examples include:

• Financial losses due to operational downtime and ransom payments.

• Regulatory fines and legal penalties resulting from data breaches.

• Reputational damage and loss of customer trust.

• Extensive remediation efforts and associated costs.