T1078.003

Local Accounts

Defense Evasion Persistence Privilege Escalation Initial Access

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Adversaries may target dormant local accounts, brute-force local admin credentials, create new local accounts, or reuse harvested credentials across multiple systems. This technique is commonly observed in ransomware operations, APT lateral movement, and post-exploitation frameworks such as Cobalt Strike.

Microsoft Sentinel / Defender

kusto

// T1078.003 - Local Account Abuse Detection
// Detects suspicious use of local accounts including new account creation, logons from unexpected sources, and lateral movement indicators
let SuspiciousLocalAccountEvents = union
(
    // New local account creation
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4720
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | extend EventType = "LocalAccountCreated", RiskScore = 3
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Local account enabled (possibly reactivating dormant account)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4722
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | extend EventType = "LocalAccountEnabled", RiskScore = 2
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Local account added to local Administrators group
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4732
    | where TargetDomainName == "Administrators" or TargetUserName =~ "Administrators"
    | extend EventType = "AddedToAdministrators", RiskScore = 4
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Successful local logon (Type 3 network or Type 10 remote interactive) using local account
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4624
    | where LogonType in (3, 10)
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM", "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1")
    | where IpAddress !in ("127.0.0.1", "::1", "-")
    | extend EventType = "NetworkLogonLocalAccount", RiskScore = 2
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName = "", SubjectLogonId = "",
              Activity, EventID
),
(
    // Explicit credential use with local account (runas / pass-the-hash style)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4648
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | extend EventType = "ExplicitCredentialUseLocalAccount", RiskScore = 3
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Failed logon attempts against local accounts (brute force indicator)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | extend EventType = "FailedLogonLocalAccount", RiskScore = 1
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName = "", SubjectLogonId = "",
              Activity, EventID
)
| sort by TimeGenerated desc;
// Aggregate failed logon attempts to detect brute force
let BruteForce =
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where TargetDomainName == "." or TargetDomainName =~ Computer or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | summarize FailCount = count(), DistinctUsers = dcount(TargetUserName) by Computer, bin(TimeGenerated, 10m)
    | where FailCount >= 10
    | extend EventType = "BruteForceLocalAccount", RiskScore = 5, TargetUserName = "(multiple)", SubjectUserName = "", SubjectLogonId = "", Activity = "Multiple failed logons", EventID = 4625;
union SuspiciousLocalAccountEvents, BruteForce
| sort by TimeGenerated desc, RiskScore desc

high severity medium confidence

Data Sources

Logon: Logon User Account: User Account Creation User Account: User Account Modification Windows Security Event Log

Required Tables

SecurityEvent

False Positives

IT helpdesk creating local accounts for break-glass or emergency access scenarios (expected during documented maintenance windows)
Software installation procedures that create local service accounts (e.g., SQL Server, antivirus agents, monitoring tools installing their own local accounts)
Remote management tools (e.g., LAPS, PDQ Deploy, SCCM) authenticating to endpoints using the local administrator account for legitimate patching or management tasks
Developers or QA engineers logging into test machines with local credentials instead of domain accounts
Backup agents or monitoring services that authenticate via local accounts from internal management servers

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4720 OR EventCode=4722 OR EventCode=4732 OR EventCode=4624 OR EventCode=4625 OR EventCode=4648)
]
| eval TargetDomainName=coalesce(TargetDomainName, Target_Domain_Name, "")
| eval Computer=coalesce(ComputerName, host)
| eval TargetUserName=coalesce(TargetUserName, Target_Account_Name, "")
| eval SubjectUserName=coalesce(SubjectUserName, Subject_Account_Name, "")
| eval LogonType=coalesce(LogonType, Logon_Type, "")
| eval IpAddress=coalesce(IpAddress, Source_Network_Address, "")
// Determine if account is local (domain matches computer name or is ".")
| eval IsLocalAccount=if(TargetDomainName="." OR lower(TargetDomainName)=lower(Computer) OR TargetDomainName="", 1, 0)
| where IsLocalAccount=1
// Filter built-in noise
| where NOT (TargetUserName IN ("ANONYMOUS LOGON","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","DWM-1","DWM-2","DWM-3","UMFD-0","UMFD-1") OR TargetUserName="")
// Classify events
| eval EventType=case(
    EventCode=4720, "LocalAccountCreated",
    EventCode=4722, "LocalAccountEnabled",
    EventCode=4732, "AddedToAdministrators",
    EventCode=4624 AND (LogonType="3" OR LogonType="10") AND NOT (IpAddress="127.0.0.1" OR IpAddress="::1" OR IpAddress="-"), "NetworkLogonLocalAccount",
    EventCode=4625, "FailedLogonLocalAccount",
    EventCode=4648, "ExplicitCredentialUseLocalAccount",
    true(), "OtherLocalAccountEvent"
)
| where EventType!="OtherLocalAccountEvent"
// Assign risk scores
| eval RiskScore=case(
    EventCode=4720, 3,
    EventCode=4722, 2,
    EventCode=4732, 4,
    EventCode=4624, 2,
    EventCode=4625, 1,
    EventCode=4648, 3,
    true(), 1
)
// Detect brute force: 10+ failures per host per 10-minute window
| eval _timebucket=strftime(round(_time/600)*600, "%Y-%m-%dT%H:%M:%S")
| eventstats count(eval(EventCode=4625)) AS FailCount by Computer, _timebucket
| eval RiskScore=if(EventCode=4625 AND FailCount>=10, 5, RiskScore)
| eval EventType=if(EventCode=4625 AND FailCount>=10, "BruteForceLocalAccount", EventType)
| table _time, Computer, EventType, EventCode, RiskScore, TargetUserName, SubjectUserName, LogonType, IpAddress, FailCount
| sort - _time - RiskScore

high severity medium confidence

Data Sources

Logon: Logon User Account: User Account Creation User Account: User Account Modification Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

IT helpdesk creating local accounts for break-glass or emergency access scenarios (expected during documented maintenance windows)
Software installation procedures that create local service accounts (e.g., SQL Server, antivirus agents, monitoring tools installing their own local accounts)
Remote management tools (e.g., LAPS, PDQ Deploy, SCCM) authenticating to endpoints using the local administrator account for legitimate patching or management tasks
Developers or QA engineers logging into test machines with local credentials instead of domain accounts
Backup agents or monitoring services that authenticate via local accounts from internal management servers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS computer,
  username AS target_username,
  "Account Domain" AS target_domain,
  QIDNAME(qid) AS event_name,
  eventid AS event_code,
  sourceip,
  CASE
    WHEN eventid = 4720 THEN 'LocalAccountCreated'
    WHEN eventid = 4722 THEN 'LocalAccountEnabled'
    WHEN eventid = 4732 THEN 'AddedToAdministrators'
    WHEN eventid = 4624 THEN 'NetworkLogonLocalAccount'
    WHEN eventid = 4625 THEN 'FailedLogonLocalAccount'
    WHEN eventid = 4648 THEN 'ExplicitCredentialUseLocalAccount'
    ELSE 'Other'
  END AS event_type,
  CASE
    WHEN eventid = 4720 THEN 3
    WHEN eventid = 4722 THEN 2
    WHEN eventid = 4732 THEN 4
    WHEN eventid = 4624 THEN 2
    WHEN eventid = 4625 THEN 1
    WHEN eventid = 4648 THEN 3
    ELSE 1
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%'
  AND eventid IN (4720, 4722, 4732, 4624, 4625, 4648)
  AND (
    "Account Domain" = '.'
    OR "Account Domain" = ''
    OR LOWER("Account Domain") = LOWER(devicehostname)
  )
  AND username NOT IN (
    'ANONYMOUS LOGON', 'LOCAL SERVICE', 'NETWORK SERVICE',
    'SYSTEM', 'DWM-1', 'DWM-2', 'DWM-3', 'UMFD-0', 'UMFD-1'
  )
  AND username IS NOT NULL
  AND username != ''
  AND (
    eventid != 4624
    OR (
      "Logon Type" IN ('3', '10')
      AND sourceip NOT IN ('127.0.0.1', '::1', '-')
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC, risk_score DESC

high severity medium confidence

Data Sources

Windows Security Event Log forwarded to QRadar via WinCollect or syslog

Required Tables

events

False Positives

Domain-joined workstations where the computer name partially matches a domain name, causing legitimate domain logons to be misclassified as local account logons
Scheduled tasks or services configured to run under local accounts on servers, generating frequent Type 3 logon events during normal operation
Password reset or account provisioning workflows that create and enable local accounts in bulk as part of automated onboarding processes

Sumo Logic CSE

sql

_sourceCategory=*WinEventLog* OR _sourceCategory=*windows*security*
| where EventCode in ("4720", "4722", "4732", "4624", "4625", "4648")
| parse field=Message "Account Domain:\t*\r" as TargetDomainName nodrop
| parse field=Message "Account Name:\t\t*\r" as TargetUserName nodrop
| parse field=Message "Security ID:\t\t*\r" as SubjectSecurityID nodrop
| parse field=Message "Logon Type:\t\t*\r" as LogonType nodrop
| parse field=Message "Source Network Address:\t*\r" as SourceIpAddress nodrop
| if(isNull(TargetDomainName), "", TargetDomainName) as TargetDomainName
| if(isNull(TargetUserName), "", TargetUserName) as TargetUserName
| if(isNull(LogonType), "", LogonType) as LogonType
| if(isNull(SourceIpAddress), "", SourceIpAddress) as SourceIpAddress
// Identify local accounts: domain is ".", empty, or matches the computer name
| where TargetDomainName = "." OR TargetDomainName = "" OR toLowerCase(TargetDomainName) = toLowerCase(Computer)
// Filter system noise
| where TargetUserName not in ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM", "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1")
| where !isBlank(TargetUserName)
// Only count 4624 when it's a network or remote interactive logon not from localhost
| where EventCode != "4624" OR (LogonType in ("3", "10") AND SourceIpAddress not in ("127.0.0.1", "::1", "-"))
// Classify event types
| if(EventCode = "4720", "LocalAccountCreated",
    if(EventCode = "4722", "LocalAccountEnabled",
      if(EventCode = "4732", "AddedToAdministrators",
        if(EventCode = "4624", "NetworkLogonLocalAccount",
          if(EventCode = "4625", "FailedLogonLocalAccount",
            if(EventCode = "4648", "ExplicitCredentialUseLocalAccount", "Other")
          )
        )
      )
    )
  ) as EventType
// Assign risk scores
| if(EventCode = "4720", 3,
    if(EventCode = "4722", 2,
      if(EventCode = "4732", 4,
        if(EventCode = "4624", 2,
          if(EventCode = "4625", 1,
            if(EventCode = "4648", 3, 1)
          )
        )
      )
    )
  ) as RiskScore
// Detect brute force: 10+ failures per host per 10-minute window
| timeslice 10m
| count(if(EventCode = "4625", 1, null)) as FailCount by Computer, _timeslice
| where EventCode != "4625" OR FailCount >= 10
| if(EventCode = "4625" AND FailCount >= 10, "BruteForceLocalAccount", EventType) as EventType
| if(EventCode = "4625" AND FailCount >= 10, 5, RiskScore) as RiskScore
| fields _messageTime, Computer, EventType, EventCode, RiskScore, TargetUserName, LogonType, SourceIpAddress, FailCount
| sort by _messageTime desc, RiskScore desc

high severity medium confidence

Data Sources

Windows Security Event Log ingested via Sumo Logic Installed Collector or Universal Forwarder

Required Tables

_sourceCategory=*WinEventLog* _sourceCategory=*windows*security*

False Positives

IT operations teams performing local account audits or bulk account creation as part of server hardening playbooks
Monitoring or EDR agents that authenticate using local service accounts across managed endpoints, generating repeated Type 3 network logon events
Windows Server failover cluster nodes authenticating to one another using local administrative accounts, which may produce elevated 4624 Type 3 event volumes

Google Chronicle / SecOps

yaral

rule t1078_003_local_account_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious local account activity including creation, reactivation, privilege escalation, network logons, explicit credential use, and brute force patterns consistent with T1078.003."
    mitre_attack_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1078.003"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "IT provisioning scripts, config management tools, help desk remote access"

  events:
    (
      $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
      and $e.metadata.event_type in (
        "USER_CREATION",
        "USER_CHANGE_PERMISSIONS",
        "USER_LOGIN",
        "USER_LOGIN_FAIL",
        "USER_UNCATEGORIZED"
      )
      and (
        $e.target.user.windows_sid != /^S-1-5-21-\d+-\d+-\d+-500$/ // Not built-in Administrator by SID alone
        or $e.metadata.product_event_type in ("4720", "4722", "4732", "4648")
      )
      // Local account indicator: domain matches hostname or is empty/dot
      and (
        $e.target.user.user_display_name != ""
        and (
          $e.target.administrative_domain = "."
          or $e.target.administrative_domain = ""
          or $e.target.administrative_domain = $e.principal.hostname
        )
      )
      // Exclude built-in noisy accounts
      and not $e.target.user.user_display_name in (
        "ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE",
        "SYSTEM", "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1"
      )
      // For logon events (4624), require network or remote interactive logon type and non-loopback source
      and (
        $e.metadata.product_event_type != "4624"
        or (
          $e.extensions.auth.auth_details in ("3", "10")
          and not $e.principal.ip in ("127.0.0.1", "::1")
        )
      )
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $hostname = $e.principal.hostname
    $target_user = $e.target.user.user_display_name
    $event_code = $e.metadata.product_event_type
    $source_ip = $e.principal.ip
    $risk_score = if(
      $e.metadata.product_event_type = "4732", 4,
      if($e.metadata.product_event_type = "4720", 3,
        if($e.metadata.product_event_type = "4648", 3,
          if($e.metadata.product_event_type = "4722", 2,
            if($e.metadata.product_event_type = "4624", 2, 1)
          )
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Security Event Log forwarded to Google Chronicle via Chronicle forwarder or BindPlane

Required Tables

UDM events with metadata.product_name = Microsoft-Windows-Security-Auditing

False Positives

Privileged Access Workstation (PAW) configurations where administrators routinely use local accounts for sensitive operations, generating frequent 4624 Type 10 events
Automated deployment pipelines creating local service accounts on newly imaged systems as part of a golden image build process
Remote monitoring and management (RMM) agents such as ConnectWise or Kaseya that authenticate using local admin credentials across endpoints

CrowdStrike LogScale (CQL)

cql

// T1078.003 - Local Account Abuse Detection for CrowdStrike Falcon LogScale
// UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed

#event_simpleName in (UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed, UserIdentity)
| TargetUserName != "ANONYMOUS LOGON"
| TargetUserName != "LOCAL SERVICE"
| TargetUserName != "NETWORK SERVICE"
| TargetUserName != "SYSTEM"
| TargetUserName != /^DWM-\d$/
| TargetUserName != /^UMFD-\d$/
| TargetUserName != ""
// Identify local accounts: TargetDomainName is ".", empty, or matches hostname
| isLocalAccount := if(
    TargetDomainName = "." OR TargetDomainName = "" OR lower(TargetDomainName) = lower(ComputerName),
    "true",
    "false"
  )
| isLocalAccount = "true"
// Filter 4624-equivalent logons to only network (Type 3) or remote interactive (Type 10) from non-loopback
| LogonType := coalesce(LogonType, "")
| RemoteIP := coalesce(RemoteAddressIP4, RemoteAddressIP6, "")
| filter(
    #event_simpleName != "UserLogon" OR
    (
      (LogonType = "3" OR LogonType = "10") AND
      RemoteIP != "127.0.0.1" AND RemoteIP != "::1" AND RemoteIP != ""
    )
  )
// Classify and score
| eventType := case {
    #event_simpleName = "UserAccountCreated", "LocalAccountCreated" ;
    #event_simpleName = "UserAccountEnabled", "LocalAccountEnabled" ;
    #event_simpleName = "GroupMembershipChanged" AND TargetUserName = "Administrators", "AddedToAdministrators" ;
    #event_simpleName = "UserLogon", "NetworkLogonLocalAccount" ;
    #event_simpleName = "UserLogonFailed", "FailedLogonLocalAccount" ;
    #event_simpleName = "UserIdentity", "ExplicitCredentialUseLocalAccount" ;
    * , "OtherLocalAccountEvent"
  }
| eventType != "OtherLocalAccountEvent"
| riskScore := case {
    eventType = "AddedToAdministrators", 4 ;
    eventType = "LocalAccountCreated", 3 ;
    eventType = "ExplicitCredentialUseLocalAccount", 3 ;
    eventType = "LocalAccountEnabled", 2 ;
    eventType = "NetworkLogonLocalAccount", 2 ;
    eventType = "FailedLogonLocalAccount", 1 ;
    * , 1
  }
// Brute force detection: 10+ failed logons per host in 10-minute window
| #event_simpleName = "UserLogonFailed"
| groupBy([ComputerName, eventType], function=[
    count(as=failCount),
    selectLast([TargetUserName, RemoteIP, riskScore])
  ], limit=max)
| failCount >= 10
| riskScore := 5
| eventType := "BruteForceLocalAccount"

// Union the brute force results with individual high-risk events
// Note: Run individually or combine via saved query union in Falcon UI
| table([timestamp, ComputerName, eventType, riskScore, TargetUserName, TargetDomainName, LogonType, RemoteIP, failCount])
| sort(riskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor telemetry (Windows endpoint agent) Falcon Event Stream or Humio/LogScale repository

Required Tables

#event_simpleName in (UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed, UserIdentity)

False Positives

Falcon sensor installation and initial enrollment can generate UserAccountCreated events for local service accounts created by the sensor installer
IT technicians performing local account remediation or password resets on endpoints will generate multiple UserLogon and UserLogonFailed events in short succession
Software deployment tools such as SCCM or Intune that run installation packages under local SYSTEM or administrator context may produce UserIdentity events that resemble explicit credential use

Last updated: 2026-04-18 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1078.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Local Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections