Benchmark: T1078.003 Valid Accounts: Local Accounts
Overview
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections
Start the Powerpipe server:
powerpipe server
Open http://localhost:9033 in your browser and select T1078.003 Valid Accounts: Local Accounts.
Run this benchmark in your terminal:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0004_t1078_003
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0004_t1078_003 --share