T1078.003 — Local Accounts

Technique

T1078.003

Tactics

Stealth, Persistence, Privilege Escalation, Initial Access

MISP citations

0

KEV CVEs mapped

1

Community rules

5

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1078/003

MITRE description

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-44168

Detection coverage

SigmaHQ community rules

• User Added To Admin Group Via Dscl (core)
• User Added To Admin Group Via DseditGroup (core)
• Root Account Enable Via Dsenableroot (core)
• User Added To Admin Group Via Sysadminctl (core)
• Admin User Remote Logon (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.