Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0407: Detection of Local Account Abuse for Initial Access and Persistence

DET0407 is a MITRE ATT&CK detection strategy for finding abuse of local accounts tied to Initial Access and Persistence. Its practical value is that local...

EnterpriseDET0407Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0407 is a MITRE ATT&CK detection strategy for finding abuse of local accounts tied to Initial Access and Persistence. Its practical value is that local accounts can sit outside centralized identity controls, making them a common blind spot for executive risk discussions around resilience, incident response readiness, and audit evidence. The supplied ATT&CK context links this strategy to Local Accounts (T1078.003), where adversaries may use local credentials for initial access, persistence, privilege escalation, stealth, and related defense-evasion outcomes.

Executive priority

Security leaders should treat local account visibility as an identity and resilience issue, not only an endpoint issue. Priority questions include: which systems or services still rely on local accounts, whether password reuse exists, whether remote support or administration accounts are governed, and whether SOC/IR teams can prove when a local account was created, changed, or used. This matters most where local accounts exist on Linux, macOS, ESXi, and container-related environments as indicated by the related ATT&CK technique.

Technical view

Because the detection strategy object does not include official detection logic, SOC and detection engineering teams should validate coverage against the related technique, T1078.003 Local Accounts. Focus on evidence of local account authentication, local account creation or modification, privilege changes, anomalous use of administrative or service-style local accounts, and authentication patterns inconsistent with expected host or service usage. Detection should be scoped to the related platforms supplied by ATT&CK: Containers, ESXi, Linux, and macOS. IR teams should ensure they can distinguish legitimate administration, remote support, and service usage from suspicious local-account activity.

Likely telemetry

  • Local authentication logs on supported systems
  • Local account creation, deletion, and modification records
  • Privilege or group membership change events for local accounts
  • Remote administration or remote support access records involving local accounts
  • Service or administrative account usage evidence

Detection direction

  • Validate whether local account activity is collected and searchable across the related ATT&CK platforms rather than only centrally managed identity providers.
  • Baseline expected local administrator, service, and support account usage to reduce false positives from legitimate operations.
  • Tune for unusual local account use patterns, such as first-time use, unexpected source, unexpected host, privilege change followed by authentication, or activity outside maintenance windows.
  • Correlate local account events with persistence, privilege escalation, and credential-access investigation context because the related technique notes possible links to privilege elevation and credential harvesting.
  • Identify blind spots where local accounts are unmanaged, shared, reused, excluded from logging, or not tied to named owners.

Mitigation priorities

  • Inventory local accounts used for administration, services, remote support, and system-specific access.
  • Reduce or remove unnecessary local accounts and assign ownership for those that remain.
  • Prioritize controls that limit password reuse and improve local credential governance.
  • Ensure logging and retention support incident reconstruction for local account creation, modification, privilege changes, and authentication.
  • Document local-account control evidence for audit and incident response readiness.
Analyst notes and limits

The ATT&CK object supplied is a detection strategy with no official description, no official detection text, and no directly specified platforms or tactics. The actionable context comes from its relationship to T1078.003 Local Accounts, including the related tactics and platforms. This take therefore frames validation around local-account abuse rather than claiming a specific analytic, signature, or guaranteed detection method.

No active exploitation, attribution, business impact, detection coverage, or vendor-specific control is established by the supplied fields. Local implementation details, account inventories, logging configuration, and normal administrative practices are required before determining risk or detection quality.

Official MITRE ATT&CK definition

Detection of Local Account Abuse for Initial Access and Persistence

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1078.003 Local Accounts Sub-technique This object detects Local Accounts.
Relationship explorer

All related ATT&CK context

detects · Technique T1078.003: Local Accounts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c3f657cd2fd4d6cc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c3f657cd2fd4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0407
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use