T1078.003: T1078.003

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:26 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1078.003
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:26
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Local Accounts

Platforms

windows macos linux Network Devices Containers ESXi

Description

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1078.003)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (33)

DragonForce uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ROOTBOY uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jumpy Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tropic Trooper uses Pirate PandaKeyBoy

The MITRE Corporation Confidence 100

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CrazyHunter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomEXX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
rhysida uses

Ransomware.Live Confidence 100

Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PROMETHIUM uses StrongPity

The MITRE Corporation Confidence 100

[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish…

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 33

ChrGetPdsi uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LEMONSTICK uses

Family
Burntcigar uses
RomCom uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByteNT uses

Family
Sliver uses

Family
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AteraAgent uses

Family
Quasar RAT uses

Family
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 63

Prinz Eugen ransomware: a deep dive into a … related

AlienVault Confidence 100 17 MITREs 1 Malware 16 IOCs 14 Observables 1 APT
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
How a Tax Search Leads to Kernel-Mode AV/EDR … related

14 MITREs 2 Malwares 12 Observables
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Analysis of Trigona Threat Actor's Latest Attack Cases related

18 MITREs 2 Malwares 5 Observables 1 APT
Three Lazarus RATs coming for your cheese related

24 MITREs 1 APT
Warning Against Distribution of Malware Disguised as Research … related

14 MITREs 3 Observables 1 APT
CoffeeLoader: A Brew of Stealthy Techniques related

15 MITREs 3 Malwares 5 Observables

← Previous

Page / 2

1–12 of 21

Vulnerabilities (CVE) (18)

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2024-51378 KEV targets

10.0 Critical

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …

Attack vector: Network
Published: 04/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2024-56145 KEV targets

9.8 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-51567 KEV targets

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 2

1–12 of 18

T1078 subtechnique-of

Valid Accounts MITRE

Course Of Action (2)

Password Policies mitigates
User Account Management mitigates

Campaign (4)

Leviathan Australian Intrusions uses
Operation Wocao uses
Anthropic AI-orchestrated Campaign uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use