detection.wiki

Valid Accounts: Local Accounts T1078.003

Tactics: Stealth, Persistence, Privilege Escalation, Initial Access

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4726A user account was deleted.
ESFexecProcess Execution (Notify)

Authoring guide

Patterns shared across the 23 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type8eq 5, in 3start, process_started, change
host.os.type7eq 7
process_name6eq 5, in 1dscl, net1.exe, debugfs, dseditgroup, dsenableroot
process.args5eq 3, ne 2, starts_with 1, wildcard 1-R, -a, -append, -d, /Groups/admin
CommandLine4contains 4 -a , -adduser , -admin , -append , -d
EventType4eq 3, in 1exec, od_group_add, ssh_login, user_login
Image4ends_with 4/dscl, /dseditgroup, /dsenableroot, /sysadminctl
user3in 2, ne 1backup, _apt, _chrony, avahi, bin
ParentImage2is_not_null 2
event.category2eq 2authentication, process
message_id2eq 2502101, 502103
sourcetype2eq 2cisco:asa
All_Changes.result1contains 1lock
All_Changes.result_id1eq 14720, 4726
AuthenticationPackageName1eq 1Negotiate

Top indicator values (116 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
4606
event.typein
process_started
340
event.typein
start
342
EventTypeeq
exec
2171
process_nameeq
net1.exe
235
sourcetypeeq
cisco:asa
213
userin
backup
22
userin
bin
22
userin
dnsmasq
22
userin
games
22
userin
gnats
22
userin
irc
22
userin
list
22
userin
mail
22
userin
man
22
userin
messagebus
22
userin
news
22
userin
proxy
22
userin
sshd
22
userin
sys
22
userin
systemd-timesync
22
userin
uucp
22
All_Changes.resultcontains
lock
12
All_Changes.result_ideq
4720
12
All_Changes.result_ideq
4726
1
AuthenticationPackageNameeq
Negotiate
14
CommandLinecontains
-a
15
CommandLinecontains
-adduser
1
CommandLinecontains
-admin
1
CommandLinecontains
-append
1

Exclusions (71 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
-d
1
CurrentDirectoryeq
C:\Program Files\Infraon Corp\SecuraAgent\
1
CurrentDirectoryeq
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\
1
Imagein
/opt/gitlab/embedded/bin/bundle
1
Imagein
/run/podman-init
1
Imagein
/usr/bin/atq
1
Imagein
/usr/bin/atrm
1
Imagein
/usr/bin/basename
1
Imagein
/usr/bin/date
1
Imagein
/usr/bin/dircolors
1
Imagein
/usr/bin/env
1
Imagein
/usr/bin/locale
1
Imagein
/usr/bin/readlink
1
Imagein
/usr/bin/tr
1
Imagein
/usr/sbin/sendmail
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 5 rules

Elastic 13 rules

Splunk 5 rules