T1078.003: T1078.003

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:26 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1078.003
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:26
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Local Accounts

Platforms

windows macos linux Network Devices Containers ESXi

Description

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1078.003)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (33)

play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly, Evasive Panda, Bronze Highland uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackJack uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM uses Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN10 uses

The MITRE Corporation Confidence 100

[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agenda related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Weaver Ant related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

25–33 of 33

ChrGetPdsi uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LEMONSTICK uses

Family
Burntcigar uses
RomCom uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByteNT uses

Family
Sliver uses

Family
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AteraAgent uses

Family
Quasar RAT uses

Family
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 63

Prinz Eugen ransomware: a deep dive into a … related

AlienVault Confidence 100 17 MITREs 1 Malware 16 IOCs 14 Observables 1 APT
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
How a Tax Search Leads to Kernel-Mode AV/EDR … related

14 MITREs 2 Malwares 12 Observables
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Analysis of Trigona Threat Actor's Latest Attack Cases related

18 MITREs 2 Malwares 5 Observables 1 APT
Three Lazarus RATs coming for your cheese related

24 MITREs 1 APT
Warning Against Distribution of Malware Disguised as Research … related

14 MITREs 3 Observables 1 APT
CoffeeLoader: A Brew of Stealthy Techniques related

15 MITREs 3 Malwares 5 Observables

← Previous

Page / 2

1–12 of 21

Vulnerabilities (CVE) (18)

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2024-51378 KEV targets

10.0 Critical

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …

Attack vector: Network
Published: 04/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2024-56145 KEV targets

9.8 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-51567 KEV targets

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 2

1–12 of 18

T1078 subtechnique-of

Valid Accounts MITRE

Course Of Action (2)

Password Policies mitigates
User Account Management mitigates

Campaign (4)

Leviathan Australian Intrusions uses
Operation Wocao uses
Anthropic AI-orchestrated Campaign uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use