Skip to the content.

back

Find sigma rule :heavy_check_mark:

Attack: Valid Accounts: Local Accounts

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

MITRE

Tactic

technique

Test : Create local account with admin privileges

OS

Description:

After execution the new account will be active and added to the Administrators group

Executor

command_prompt

Sigma Rule

back