Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1078.003

T1078.003Local Accounts

T1078.003 — Local Accounts is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 12 detection use cases covering it and 6 threat-intel articles citing it.

Defense EvasionPersistencePrivilege EscalationInitial Access
View on the matrix → Filter Detection Library MITRE official spec ↗
12Use cases
6Articles
0Sub-techniques
4Tactics
↑ Parent technique: T1078 · Valid Accounts

Use cases covering this technique (12)

Cisco ASA - New Local User Account Created ESCU actions · hunting P Cisco ASA - User Privilege Level Change ESCU actions · hunting P Detect Excessive User Account Lockouts ESCU actions · hunting P Potential password in username ESCU actions · hunting P Short Lived Windows Accounts ESCU actions · alerting P [LLM] BitLocker tamper attempt via manage-bde or BitLocker PowerShell after WinRE shell access Bespoke actions · alerting DSΣPDDCS [LLM] nebula-mesh CVE-2026-47724 — cross-operator admin API key mint via POST /api/v1/operators/{id}/api-keys Bespoke exploit · alerting SΣPDD [LLM] HTTP access to Shopper admin team-settings / Livewire endpoints (CVE-2026-47744) Bespoke exploit · hunting DSΣPDDCW [LLM] Arcane GitOps: DELETE /api/customize/git-repositories/{id} by non-admin principal (CVE-2026-45625 DoS / post-exfiltration cleanup) Bespoke actions · alerting SΣPDD [LLM] MCPHub identity spoofing — admin-themed username in /<user>/sse path Bespoke exploit · alerting SΣPDD [LLM] Portainer Swarm service create/update API access (CVE-2026-44849 exploitation path) Bespoke exploit · hunting DSΣPDDCS [LLM] Docker local-driver volume created with type=none and o=bind (CVE-2026-44849 volume variant) Bespoke exploit · alerting DSΣPDDCS

Articles citing this technique (6)

crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42
crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96
crit [GHSA / CRITICAL] CVE-2026-47744: Shopper: Authorization bypass and RBAC privilege escalation in team settings art-115
crit [GHSA / CRITICAL] CVE-2026-45625: Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltra art-274
crit [GHSA / CRITICAL] GHSA-wf8q-wvv8-p8jf: @samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Ena art-290
crit [GHSA / CRITICAL] CVE-2026-44849: Portainer has an endpoint security bypass via Swarm service create/update art-297