T1078.003: T1078.003

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:26 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1078.003
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:26
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Local Accounts

Platforms

windows macos linux Network Devices Containers ESXi

Description

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1078.003)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (33)

FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lamia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jewelbug uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA505 uses Hive0065Spandex Tempest

The MITRE Corporation Confidence 100

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
lynx uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Velvet Ant uses

The MITRE Corporation Confidence 100

[Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LightBasin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 33

ChrGetPdsi uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LEMONSTICK uses

Family
Burntcigar uses
RomCom uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByteNT uses

Family
Sliver uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AteraAgent uses

Family
Quasar RAT uses

Family
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 63

Weaver Ant, the Web Shell Whisperer: Tracking a … related

26 MITREs 2 Malwares 1 Observable 1 APT
Confluence Exploit Leads to LockBit Ransomware related

4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
Play Ransomware Engagement related

17 MITREs 3 Malwares 1 APT
Understanding the Initial Stages of Web Shell and … related

1 CVE 16 MITREs 1 Observable
Lynx Ransomware: A Rebranding of INC Ransomware related

15 MITREs 2 Malwares 44 Observables 1 APT
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis related

14 MITREs 4 Malwares 106 Observables 1 APT
Analysis of the BlackJack group: techniques, tools, and … related

20 MITREs 3 Malwares 1 Observable 1 APT
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities … related

21 MITREs 2 Malwares 4 Observables 1 APT
Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure related

1 CVE 27 MITREs 1 Malware 18 Observables 1 APT

← Previous

Page / 2

13–21 of 21

Vulnerabilities (CVE) (18)

CVE-2024-23897 KEV targets

9.8 Critical

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …

Attack vector: Network
Published: 19/08/2024
Modified: 21/12/2025

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2025-31199 targets

5.5 Medium

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, …

Attack vector: Local
Complexity: Low
Published: 30/05/2025
Modified: 02/04/2026

CWE-532 Awaiting Analysis

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 2

13–18 of 18

T1078 subtechnique-of

Valid Accounts MITRE

Course Of Action (2)

Password Policies mitigates
User Account Management mitigates

Campaign (4)

Leviathan Australian Intrusions uses
Operation Wocao uses
Anthropic AI-orchestrated Campaign uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use