Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Valid Accounts: Local Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1078.003 | Local Accounts |
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1078.003 | Local Accounts |
Comments
Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
References
|