Detect Local Accounts in CrowdStrike LogScale
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Adversaries may target dormant local accounts, brute-force local admin credentials, create new local accounts, or reuse harvested credentials across multiple systems. This technique is commonly observed in ransomware operations, APT lateral movement, and post-exploitation frameworks such as Cobalt Strike.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.003 Local Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/003/
LogScale Detection Query
// T1078.003 - Local Account Abuse Detection for CrowdStrike Falcon LogScale
// UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed
#event_simpleName in (UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed, UserIdentity)
| TargetUserName != "ANONYMOUS LOGON"
| TargetUserName != "LOCAL SERVICE"
| TargetUserName != "NETWORK SERVICE"
| TargetUserName != "SYSTEM"
| TargetUserName != /^DWM-\d$/
| TargetUserName != /^UMFD-\d$/
| TargetUserName != ""
// Identify local accounts: TargetDomainName is ".", empty, or matches hostname
| isLocalAccount := if(
TargetDomainName = "." OR TargetDomainName = "" OR lower(TargetDomainName) = lower(ComputerName),
"true",
"false"
)
| isLocalAccount = "true"
// Filter 4624-equivalent logons to only network (Type 3) or remote interactive (Type 10) from non-loopback
| LogonType := coalesce(LogonType, "")
| RemoteIP := coalesce(RemoteAddressIP4, RemoteAddressIP6, "")
| filter(
#event_simpleName != "UserLogon" OR
(
(LogonType = "3" OR LogonType = "10") AND
RemoteIP != "127.0.0.1" AND RemoteIP != "::1" AND RemoteIP != ""
)
)
// Classify and score
| eventType := case {
#event_simpleName = "UserAccountCreated", "LocalAccountCreated" ;
#event_simpleName = "UserAccountEnabled", "LocalAccountEnabled" ;
#event_simpleName = "GroupMembershipChanged" AND TargetUserName = "Administrators", "AddedToAdministrators" ;
#event_simpleName = "UserLogon", "NetworkLogonLocalAccount" ;
#event_simpleName = "UserLogonFailed", "FailedLogonLocalAccount" ;
#event_simpleName = "UserIdentity", "ExplicitCredentialUseLocalAccount" ;
* , "OtherLocalAccountEvent"
}
| eventType != "OtherLocalAccountEvent"
| riskScore := case {
eventType = "AddedToAdministrators", 4 ;
eventType = "LocalAccountCreated", 3 ;
eventType = "ExplicitCredentialUseLocalAccount", 3 ;
eventType = "LocalAccountEnabled", 2 ;
eventType = "NetworkLogonLocalAccount", 2 ;
eventType = "FailedLogonLocalAccount", 1 ;
* , 1
}
// Brute force detection: 10+ failed logons per host in 10-minute window
| #event_simpleName = "UserLogonFailed"
| groupBy([ComputerName, eventType], function=[
count(as=failCount),
selectLast([TargetUserName, RemoteIP, riskScore])
], limit=max)
| failCount >= 10
| riskScore := 5
| eventType := "BruteForceLocalAccount"
// Union the brute force results with individual high-risk events
// Note: Run individually or combine via saved query union in Falcon UI
| table([timestamp, ComputerName, eventType, riskScore, TargetUserName, TargetDomainName, LogonType, RemoteIP, failCount])
| sort(riskScore, order=desc)CrowdStrike LogScale CQL query detecting local account abuse on Windows endpoints. Targets Falcon telemetry events UserAccountCreated, UserAccountEnabled, GroupMembershipChanged, UserLogon, UserLogonFailed, and UserIdentity. Identifies local accounts using TargetDomainName matching conventions, filters logon events to network and remote interactive types from non-loopback sources, assigns risk scores per event type, and flags brute force patterns of 10+ failures per host per 10-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor installation and initial enrollment can generate UserAccountCreated events for local service accounts created by the sensor installer
- IT technicians performing local account remediation or password resets on endpoints will generate multiple UserLogon and UserLogonFailed events in short succession
- Software deployment tools such as SCCM or Intune that run installation packages under local SYSTEM or administrator context may produce UserIdentity events that resemble explicit credential use
Other platforms for T1078.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Backdoor Local Admin Account
Expected signal: Security EventID 4720: New local account 'argus_test_backdoor' created (TargetDomainName will match ComputerName). Security EventID 4732: Account added to Administrators group (TargetUserName=Administrators). Security EventID 4722: Account enabled. Process creation events for net.exe and net1.exe (Sysmon EventID 1 or Security EventID 4688).
- Test 2Brute Force Local Administrator Account
Expected signal: 15x Security EventID 4625 (logon failure) with TargetUserName=Administrator, LogonType=3, IpAddress=127.0.0.1. Failure reason 0xC000006D (wrong password) or 0xC000006A. SubStatus 0xC0000064 or 0xC000006A. Events will appear in rapid succession within a 1-minute window.
- Test 3Pass-the-Hash Style Lateral Movement Using Local Account Credentials
Expected signal: Security EventID 4648 (explicit credentials used) on the initiating host with TargetUserName=Administrator, TargetDomainName=<COMPUTERNAME>. Security EventID 4624 (LogonType=3) on the target with TargetUserName=Administrator, TargetDomainName=<COMPUTERNAME>, IpAddress of initiating host. Sysmon EventID 3: network connection to destination port 445.
- Test 4Enable and Use Disabled Built-in Administrator Account via Registry
Expected signal: Security EventID 4722 (local account enabled) with TargetUserName=Administrator. Security EventID 4723 or 4724 (password change/reset) for the Administrator account. Process creation events for net.exe (Sysmon EventID 1). If the account is then used for logon, EventID 4624 with TargetUserName=Administrator and LogonType matching the access method.
- Test 5Linux Local Account Abuse — Create Privileged User and Switch Context
Expected signal: Syslog/auth.log: useradd command execution, new user creation entry. /var/log/auth.log or /var/log/secure: PAM authentication events for su session. auditd (if configured): syscall audit records for useradd (execve), usermod (execve), write to /etc/passwd and /etc/shadow. Sysmon for Linux (if deployed): process creation events for useradd, usermod, chpasswd, su.
References (13)
- https://attack.mitre.org/techniques/T1078/003/
- https://attack.mitre.org/techniques/T1078/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
- https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia
- https://www.malwarebytes.com/blog/news/2017/12/self-propagating-emotet-modules
- https://www.mandiant.com/resources/apt32-targeting-vietnam
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft
- https://www.cisa.gov/sites/default/files/publications/AA22-152A_Wiper_Malware_Analysis_508C.pdf
Unlock Pro Content
Get the full detection package for T1078.003 including response playbook, investigation guide, and atomic red team tests.