Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Локальные учетные записи
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Локальные учетные записи
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Valid Accounts:  Локальные учетные записи

ID Название
.001 Учетные записи по умолчанию
.002 Доменные учетные записи
.003 Локальные учетные записи
.004 Облачные учетные записи

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

ID: T1078.003
Относится к технике:  T1078
Тактика(-и): Defense Evasion, Initial Access, Persistence, Privilege Escalation
Платформы: Containers, Linux, macOS, Windows
Требуемые разрешения: Administrator, User
Источники данных: Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Версия: 1.2
Дата создания: 13 Mar 2020
Последнее изменение: 18 Oct 2021

Примеры процедур
Название Описание
APT29

APT29 has used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022)
Operation Wocao

Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)
Kimsuky

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)
Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)
Emotet

Emotet can brute force a local admin password, then use it to facilitate lateral movement.(Citation: Malwarebytes Emotet Dec 2017)
Stolen Pencil

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. (Citation: Netscout Stolen Pencil Dec 2018)
Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)
PROMETHIUM

PROMETHIUM has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020)
FIN10

FIN10 has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)
APT32

APT32 has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017)
Tropic Trooper

Tropic Trooper has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020)

HAFNIUM

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021)
NotPetya

NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)
Umbreon

Umbreon creates valid local users to provide access to the system.(Citation: Umbreon Trend Micro)

During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)
Turla

Turla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)

Контрмеры
Контрмера Описание
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Password Policies

Set and enforce secure password policies for accounts.

Обнаружение

Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  6. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  7. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  8. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  9. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  10. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  11. Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020.
  12. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
  13. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  14. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
  15. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  16. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  17. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  18. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  19. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  20. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.