Find sigma rule 
Attack: Valid Accounts: Local Accounts
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
MITRE
Tactic
- defense-evasion
- persistence
- privilege-escalation
- initial-access
technique
- T1078.003
Test : Reactivate a locked/expired account (FreeBSD)
OS
- linux
Description:
A system administrator may have locked and expired a user account rather than deleting it. “the user is coming back, at some stage” An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a “art” user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
Executor
sh