AN1137: Analytic 1137
Detects anomalous usage of local accounts to log into a system, especially accounts not typically used interactively or outside business hours.
Analyst context for executives and security teams
This analytic matters because unusual interactive use of local Windows accounts can be an early sign of account misuse, unauthorized access, or weak local account governance. For executives and security leaders, the decision value is not just whether a rule exists, but whether the organization can distinguish expected administrator activity from abnormal local logons, including after-hours use and accounts that should not normally be used interactively.
Executive priority
Prioritize this as an identity and SOC readiness validation item for Windows environments. Leaders should ask whether local account usage is known, monitored, and explainable; whether after-hours administrative access has an approval trail; and whether incident responders can quickly determine who used a local account, from where, and whether the activity was legitimate. This can support operational resilience, audit evidence for privileged access monitoring, and faster incident decision-making.
Technical view
For SOC and detection engineering teams, validate monitoring for anomalous local account logons on Windows systems. The supplied analytic focuses on local accounts used interactively, especially accounts that are not normally interactive or activity occurring outside business hours. Because no official detection logic or related ATT&CK technique context is supplied, implementation should be environment-baselined: define expected local accounts, expected interactive logon patterns, business-hour assumptions, and administrative exceptions before alerting broadly.
Likely telemetry
- Windows logon events showing account name, account type or local account context, target host, logon type, timestamp, and source where available
- Host authentication logs from Windows endpoints and servers
- Privileged or local administrator group membership inventory
- Asset and ownership data to distinguish workstations, servers, kiosks, and administrative jump systems
- Change or approval records for after-hours administrative access where available
Detection direction
- Baseline which local accounts normally log on interactively to each Windows system or system class.
- Flag local accounts used interactively when they are not expected to be used that way, especially on sensitive systems.
- Tune for business-hour context carefully; legitimate maintenance windows, emergency support, and time-zone differences can create false positives.
- Correlate alerts with asset criticality, account privilege, recent account changes, and any approved administrative activity.
- Validate collection coverage across Windows endpoints and servers; blind spots commonly arise where endpoint logging, centralized collection, or account inventory is incomplete.
Mitigation priorities
- Inventory local accounts and identify which are allowed to be used interactively.
- Restrict or remove unnecessary local accounts and local administrative privileges where operationally feasible.
- Require documented approval and traceability for after-hours or exceptional local account use.
- Maintain centralized log collection for Windows authentication activity on systems where local account misuse would be material.
- Periodically review detections against real administrative workflows so alerting remains useful and defensible.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique entry. The strongest use is as a control validation prompt: can the organization observe and explain local Windows account logons, particularly interactive and after-hours use? Detection quality will depend heavily on local baselines, privileged access processes, and log completeness.
The supplied ATT&CK fields provide a description, Windows platform scope, and external reference, but no official detection logic, tactics, related techniques, data sources, mitigations, or relationships. Conclusions about adversary behavior, impact, coverage, or attribution require additional local evidence and are not asserted here.
Analytic 1137
Detects anomalous usage of local accounts to log into a system, especially accounts not typically used interactively or outside business hours.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 18edd059905e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1137Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.