T1078.003: T1078.003
Essential information
- MITRE technique ID
T1078.003- Confidence
- 100/100
- Revoked
- No
- Published
- 13/03/2020 21:26
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Local Accounts
Platforms
windows macos linux Network Devices Containers ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | initial-access |
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (33)
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackJack usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FIN10 usesThe MITRE Corporation Confidence 100
[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Agenda relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Weaver Ant relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (63)
-
Mamona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Umbreon usesFamily The MITRE Corporation Confidence 100
A Linux rootkit that provides backdoor access and hides from defenders.
First seen 01/01/1970 · Last seen 16/11/5138 · -
Veaamp usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lynx ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Coroxy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Truebot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Prinz Eugen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mimic usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ROLLCOAST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Qilin usesThe MITRE Corporation Confidence 100
[Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Rhadamanthys usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (21)
-
26 MITREs 2 Malwares 1 Observable 1 APT
-
4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
-
Play Ransomware Engagement related17 MITREs 3 Malwares 1 APT
-
1 CVE 16 MITREs 1 Observable
-
15 MITREs 2 Malwares 44 Observables 1 APT
-
14 MITREs 4 Malwares 106 Observables 1 APT
-
20 MITREs 3 Malwares 1 Observable 1 APT
-
21 MITREs 2 Malwares 4 Observables 1 APT
-
1 CVE 27 MITREs 1 Malware 18 Observables 1 APT
Vulnerabilities (CVE) (18)
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …
- Attack vector
- NETWORK
- Published
- 12/10/2024
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …
- Attack vector
- Network
- Published
- 04/12/2024
- Modified
- 21/12/2025
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 15/09/2017
- Modified
- 22/04/2026
Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …
- Published
- 03/11/2021
- Modified
- 20/04/2026
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …
- Attack vector
- Network
- Published
- 02/06/2025
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.
- Attack vector
- Network
- Published
- 24/01/2024
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
- Attack vector
- Network
- Published
- 07/03/2024
- Modified
- 21/12/2025
Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
Course Of Action (2)
-
Password Policies mitigates
-
User Account Management mitigates
Campaign (4)
-
Leviathan Australian Intrusions uses
-
Operation Wocao uses
-
Anthropic AI-orchestrated Campaign uses
-
SolarWinds Compromise uses