T1078.003 Microsoft Sentinel · KQL

Detect Local Accounts in Microsoft Sentinel

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Adversaries may target dormant local accounts, brute-force local admin credentials, create new local accounts, or reuse harvested credentials across multiple systems. This technique is commonly observed in ransomware operations, APT lateral movement, and post-exploitation frameworks such as Cobalt Strike.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Privilege Escalation Initial Access
Technique
T1078 Valid Accounts
Sub-technique
T1078.003 Local Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1078.003 - Local Account Abuse Detection
// Detects suspicious use of local accounts including new account creation, logons from unexpected sources, and lateral movement indicators
let SuspiciousLocalAccountEvents = union
(
    // New local account creation
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4720
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | extend EventType = "LocalAccountCreated", RiskScore = 3
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Local account enabled (possibly reactivating dormant account)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4722
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | extend EventType = "LocalAccountEnabled", RiskScore = 2
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Local account added to local Administrators group
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4732
    | where TargetDomainName == "Administrators" or TargetUserName =~ "Administrators"
    | extend EventType = "AddedToAdministrators", RiskScore = 4
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Successful local logon (Type 3 network or Type 10 remote interactive) using local account
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4624
    | where LogonType in (3, 10)
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM", "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1")
    | where IpAddress !in ("127.0.0.1", "::1", "-")
    | extend EventType = "NetworkLogonLocalAccount", RiskScore = 2
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName = "", SubjectLogonId = "",
              Activity, EventID
),
(
    // Explicit credential use with local account (runas / pass-the-hash style)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4648
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | extend EventType = "ExplicitCredentialUseLocalAccount", RiskScore = 3
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName, SubjectLogonId,
              Activity, EventID
),
(
    // Failed logon attempts against local accounts (brute force indicator)
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where TargetDomainName == "."
        or TargetDomainName =~ Computer
        or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | extend EventType = "FailedLogonLocalAccount", RiskScore = 1
    | project TimeGenerated, Computer, EventType, RiskScore,
              TargetUserName, SubjectUserName = "", SubjectLogonId = "",
              Activity, EventID
)
| sort by TimeGenerated desc;
// Aggregate failed logon attempts to detect brute force
let BruteForce =
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where TargetDomainName == "." or TargetDomainName =~ Computer or TargetDomainName == ""
    | where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM")
    | summarize FailCount = count(), DistinctUsers = dcount(TargetUserName) by Computer, bin(TimeGenerated, 10m)
    | where FailCount >= 10
    | extend EventType = "BruteForceLocalAccount", RiskScore = 5, TargetUserName = "(multiple)", SubjectUserName = "", SubjectLogonId = "", Activity = "Multiple failed logons", EventID = 4625;
union SuspiciousLocalAccountEvents, BruteForce
| sort by TimeGenerated desc, RiskScore desc
high severity medium confidence

Detects suspicious local account activity including creation of new local accounts, enabling of disabled accounts, addition to the Administrators group, network/remote logons using local credentials from remote IPs, explicit credential use (4648), and brute-force patterns against local accounts. Uses Windows Security Event log with multiple Event IDs covering the full lifecycle of local account abuse. Filters out well-known built-in service identities and loopback addresses to reduce noise.

Data Sources

Logon: LogonUser Account: User Account CreationUser Account: User Account ModificationWindows Security Event Log

Required Tables

SecurityEvent

False Positives & Tuning

  • IT helpdesk creating local accounts for break-glass or emergency access scenarios (expected during documented maintenance windows)
  • Software installation procedures that create local service accounts (e.g., SQL Server, antivirus agents, monitoring tools installing their own local accounts)
  • Remote management tools (e.g., LAPS, PDQ Deploy, SCCM) authenticating to endpoints using the local administrator account for legitimate patching or management tasks
  • Developers or QA engineers logging into test machines with local credentials instead of domain accounts
  • Backup agents or monitoring services that authenticate via local accounts from internal management servers
Download portable Sigma rule (.yml)

Other platforms for T1078.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Backdoor Local Admin Account

    Expected signal: Security EventID 4720: New local account 'argus_test_backdoor' created (TargetDomainName will match ComputerName). Security EventID 4732: Account added to Administrators group (TargetUserName=Administrators). Security EventID 4722: Account enabled. Process creation events for net.exe and net1.exe (Sysmon EventID 1 or Security EventID 4688).

  2. Test 2Brute Force Local Administrator Account

    Expected signal: 15x Security EventID 4625 (logon failure) with TargetUserName=Administrator, LogonType=3, IpAddress=127.0.0.1. Failure reason 0xC000006D (wrong password) or 0xC000006A. SubStatus 0xC0000064 or 0xC000006A. Events will appear in rapid succession within a 1-minute window.

  3. Test 3Pass-the-Hash Style Lateral Movement Using Local Account Credentials

    Expected signal: Security EventID 4648 (explicit credentials used) on the initiating host with TargetUserName=Administrator, TargetDomainName=<COMPUTERNAME>. Security EventID 4624 (LogonType=3) on the target with TargetUserName=Administrator, TargetDomainName=<COMPUTERNAME>, IpAddress of initiating host. Sysmon EventID 3: network connection to destination port 445.

  4. Test 4Enable and Use Disabled Built-in Administrator Account via Registry

    Expected signal: Security EventID 4722 (local account enabled) with TargetUserName=Administrator. Security EventID 4723 or 4724 (password change/reset) for the Administrator account. Process creation events for net.exe (Sysmon EventID 1). If the account is then used for logon, EventID 4624 with TargetUserName=Administrator and LogonType matching the access method.

  5. Test 5Linux Local Account Abuse — Create Privileged User and Switch Context

    Expected signal: Syslog/auth.log: useradd command execution, new user creation entry. /var/log/auth.log or /var/log/secure: PAM authentication events for su session. auditd (if configured): syscall audit records for useradd (execve), usermod (execve), write to /etc/passwd and /etc/shadow. Sysmon for Linux (if deployed): process creation events for useradd, usermod, chpasswd, su.

Last updated: 2026-04-18 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1078.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1078Valid Accounts

Related Sub-techniques

T1078.001Default AccountsT1078.002Domain AccountsT1078.004Cloud Accounts

Related Techniques

T1078Valid AccountsT1078.001Default AccountsT1078.002Domain AccountsT1110.001Password GuessingT1110.003Password SprayingT1003OS Credential DumpingT1003.001LSASS MemoryT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1136.001Local AccountT1098Account ManipulationT1550.002Pass the Hash

Same Tactic: Defense Evasion

Popular Detections