Technique on mitre.org

T1078.003: Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1771: SupplyChain_Gitlab_Login_From_New_Address: A user with the Maintainer, Owner, or Developer role logged in to an application from a new address enterprise_1c_and_bitrix: PT-CR-669: Enterprise_1C_Logon_Of_Significant_User: A user logged in under a blacklisted account enterprise_1c_and_bitrix: PT-CR-671: Enterprise_1C_Logon_Same_User_From_Different_Terminals: Successful login from different terminals enterprise_1c_and_bitrix: PT-CR-670: Enterprise_1C_Enable_Account_And_Login: A newly created user logged in enterprise_1c_and_bitrix: PT-CR-668: Enterprise_1C_Using_Various_Accounts_On_One_Terminal: Logging into the system from one host under multiple accounts postfix: PT-CR-2714: Postfix_Message_To_Root: A message was sent to a root user. If the message contains macros, they will be executed on behalf of the root user. kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account remote_work: PT-CR-1057: VPN_User_Abnormal_Access: Suspicious login to internal resources. A user logged in from another user's address or authentication data differs from the collected profile. remote_work: PT-CR-1056: VPN_MultiUser_IP: The same IP address is used in different VPN sessions remote_work: PT-CR-1048: RDG_Abnormal_Access: Suspicious RDG connection. Authentication data differs from the collected profile. remote_work: PT-CR-1055: VPN_Abnormal_Access: Suspicious VPN connection. Connection data differs from the previously collected profile. remote_work: PT-CR-1058: Remote_Login_From_Not_Allowed_Country: Connection via VPN or RDG from an IP address that does not belong to allowed countries address pool web_servers_abnormal_activity: PT-CR-1969: Web_Servers_Abnormal_Activity_Many_Accounts_One_Host: An attacker can get access to multiple accounts and use the capabilities of each of them in sequence to advance through the network web_servers_abnormal_activity: PT-CR-1965: Web_Servers_Abnormal_Activity_Many_Hosts_One_Account: An attacker can get access to an account and use it from different computers to advance through the network network_devices_compromise: PT-CR-2284: ViPNet_Policy_Manager_User_Privileges_Modify: User privileges were changed clickhouse: PT-CR-1580: ClickHouse_Logon_Of_Significant_User: DBMS login under an account from the Applications_Significant_Users tabular list is detected clickhouse: PT-CR-1567: ClickHouse_Logon_Same_User_From_Different_Hosts: Attempts to log in to a DBMS under the same account from different hosts are detected clickhouse: PT-CR-1579: ClickHouse_Logon_Same_Host_Different_Users: Attempts to log in to a DBMS under different user accounts from the same host are detected vk_cloud: PT-CR-2305: VK_Cloud_Critical_DB_Operation: An untrusted user performed an operation with a critical database in VK Cloud. Attackers can bypass protection or gain persistence in the system by changing or deleting a critical database, or creating its backup or a new user in it. These operations allow attackers to access sensitive information stored in the database and use it to further compromise the system. active_directory_attacks: PT-CR-656: Failed_Network_Access_With_Unknown_User: A user failed to log in to a host running Windows on behalf of a disabled or non-existent account. This may indicate account bruteforcing or compromised credentials. unix_mitre_attck_lateral_movement: PT-CR-487: Unix_SSH_Login_By_Daemons: Lateral movement on behalf of a service account is detected. Attackers can use known service accounts to gain remote access to the target system. mitre_attck_lateral_movement: PT-CR-2462: Multiple_RDP_From_One_User_Or_Host: Multiple RDP connections from one host or account. This may indicate attacker's hidden movement from one compromised system to another. profiling: PT-CR-1063: Wifi_Abnormal_Access: Suspicious connection to Wi-Fi equipment. Authentication data differ from the collected profile. profiling: PT-CR-1782: PT_IAM_Abnormal_Access: Suspicious logon to a Positive Technologies application using IAM. Authentication data differ from the collected profile. profiling: PT-CR-2519: Infowatch_TM_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile. profiling: PT-CR-2337: PostgreSQL_Abnormal_Access: Suspicious logon to DBMS PostgreSQL. Authentication data differ from the collected profile. profiling: PT-CR-2456: FreeIPA_Abnormal_Access: Suspicious authentication in the FreeIPA domain. Authentication data differ from the previously collected profile. profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1051: KSC_Console_Abnormal_Access: Suspicious logon to the Kaspersky Security Center console. Authentication data differ from the collected profile. profiling: PT-CR-2388: Arista_EOS_Abnormal_Access: Suspicious connection to Arista hardware. Authentication data differ from the collected profile. profiling: PT-CR-1788: Keycloak_Abnormal_Access: Suspicious logon via Keycloak. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1808: Passwork_Abnormal_Access: Suspicious logon to Passwork. Authentication data differ from the collected profile. profiling: PT-CR-1792: ADFS_Abnormal_Access: Suspicious logon via Active Directory Federation Services (AD FS). Authentication data differ from the collected profile. profiling: PT-CR-2580: Citrix_NS_ADC_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differs from the collected profile. profiling: PT-CR-1061: Cisco_Abnormal_Access: Suspicious connection to Cisco hardware. Authentication data differ from the collected profile. profiling: PT-CR-1382: Checkpoint_Abnormal_Access: Suspicious connection to Check Point hardware. Authentication data differ from the collected profile. profiling: PT-CR-1049: Subrule_Unix_Server_Abnormal_Access: Suspicious connections via SSH to Unix network servers. Authentication data differ from the collected profile. profiling: PT-CR-1791: Application_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile. profiling: PT-CR-1041: Teamcity_Abnormal_Access: Suspicious logon to TeamCity. Authentication data differ from the collected profile. profiling: PT-CR-2059: Zabbix_Abnormal_Access: Suspicious logon to Zabbix. Authentication data differs from the previously collected profile. profiling: PT-CR-1920: PTAF_Abnormal_Access: Suspicious logon to PT AF. Authentication data differ from the collected profile. profiling: PT-CR-1059: VCenter_Abnormal_Access: Suspicious logon to vCenter. Authentication data differ from the collected profile. profiling: PT-CR-1062: Fortigate_Abnormal_Access: Suspicious connection to FortiGate hardware. Authentication data differ from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1054: Subrule_Teampass_Login_Successful: Logon to TeamPass profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1811: Teamcity_Abnormal_BuildConfig_Modify: Suspicious logon and build configuration changes in TeamCity. Authentication data differ from the collected profile. profiling: PT-CR-1034: App_1C_Enterprise_Abnormal_Access: Suspicious logon to 1C:Enterprise. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1050: Subrule_Windows_Host_Abnormal_Access: Suspicious logon to a critical host. Authentication data differ from the collected profile. profiling: PT-CR-1809: Gitlab_Abnormal_Access: Suspicious logon to GitLab. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1037: UsWeb_Abnormal_Access: Suspicious login to the update server web interface. Authentication data differs from the collected profile. profiling: PT-CR-1785: Teampass_Abnormal_Access: Suspicious logon to TeamPass. Authentication data differ from the collected profile. profiling: PT-CR-1784: MSSQL_Abnormal_Access: Suspicious logon to Microsoft SQL Server. Authentication data differ from the collected profile. profiling: PT-CR-1793: Confluence_Abnormal_Access: Suspicious logon to Confluence. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-2325: Grafana_Abnormal_Access: Suspicious logon to Grafana. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. profiling: PT-CR-1787: MFA_Abnormal_Access: Suspicious authentication in Multifactor. Authentication data differ from the collected profile. profiling: PT-CR-2137: Hashicorp_Vault_Abnormal_Access: Suspicious logon to Vault. Authentication data differ from the collected profile. profiling: PT-CR-218: SecurityAdmin_Abnormal_Access: Suspicious logon by a security administrator. Authentication data differ from the collected profile.

Detection

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon `(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"`

ID	DS0028	Data source and component	Logon Session: Logon Session Metadata	Description	Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux. Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including `/var/log/secure`.

ID	Data source and component	Description
DS0028	Logon Session: Logon Session Creation	Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon `(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"`
DS0028	Logon Session: Logon Session Metadata	Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
DS0002	User Account: User Account Authentication	Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux. Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including `/var/log/secure`.

Mitigation

ID	M1026	Name	Privileged Account Management	Description	Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. For example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required. Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.

ID	M1027	Name	Password Policies	Description	Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

ID	Name	Description
M1026	Privileged Account Management	Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. For example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required. Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.
M1027	Password Policies	Ensure that local administrator accounts have complex, unique passwords across all systems on the network.