title: Local Accounts (T1078.003)
id: df00tech-t1078-003
status: experimental
description: "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Adversaries may target dormant local accounts, brute-force local admin credentials, create new local accounts, or reuse harvested credentials across multiple systems. This technique is commonly observed in ransomware operations, APT lateral movement, and post-exploitation frameworks such as Cobalt Strike."
references:
  - https://attack.mitre.org/techniques/T1078/003/
  - https://df00tech.com/detections/T1078.003
author: df00tech
date: 2026/04/18
tags:
  - attack.t1078.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk creating local accounts for break-glass or emergency access scenarios (expected during documented maintenance windows)
  - "Software installation procedures that create local service accounts (e.g., SQL Server, antivirus agents, monitoring tools installing their own local accounts)"
  - "Remote management tools (e.g., LAPS, PDQ Deploy, SCCM) authenticating to endpoints using the local administrator account for legitimate patching or management tasks"
  - Developers or QA engineers logging into test machines with local credentials instead of domain accounts
  - Backup agents or monitoring services that authenticate via local accounts from internal management servers
level: high