Technique on mitre.org

T1078.002: Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1758: SupplyChain_Merge_Request_Approve_By_Creator: A user approved their own merge request supply_chain: PT-CR-1771: SupplyChain_Gitlab_Login_From_New_Address: A user with the Maintainer, Owner, or Developer role logged in to an application from a new address enterprise_1c_and_bitrix: PT-CR-669: Enterprise_1C_Logon_Of_Significant_User: A user logged in under a blacklisted account enterprise_1c_and_bitrix: PT-CR-671: Enterprise_1C_Logon_Same_User_From_Different_Terminals: Successful login from different terminals enterprise_1c_and_bitrix: PT-CR-670: Enterprise_1C_Enable_Account_And_Login: A newly created user logged in enterprise_1c_and_bitrix: PT-CR-668: Enterprise_1C_Using_Various_Accounts_On_One_Terminal: Logging into the system from one host under multiple accounts kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account pt_nad: PT-CR-737: NAD_SAM_Account_Name_Spoofing: A user requested a TGT remote_work: PT-CR-1057: VPN_User_Abnormal_Access: Suspicious login to internal resources. A user logged in from another user's address or authentication data differs from the collected profile. remote_work: PT-CR-1056: VPN_MultiUser_IP: The same IP address is used in different VPN sessions remote_work: PT-CR-1048: RDG_Abnormal_Access: Suspicious RDG connection. Authentication data differs from the collected profile. remote_work: PT-CR-1055: VPN_Abnormal_Access: Suspicious VPN connection. Connection data differs from the previously collected profile. remote_work: PT-CR-1058: Remote_Login_From_Not_Allowed_Country: Connection via VPN or RDG from an IP address that does not belong to allowed countries address pool remote_work: PT-CR-1036: Mail_Abnormal_Access: Suspicious logon to an email account from the new mobile device. Authentication data differ from the collected profile. microsoft_mecm: PT-CR-1877: MECM_Create_New_Roles: Creating a new role in MECM microsoft_mecm: PT-CR-1875: MECM_Privileges_Escalation_Via_Role: Privilege escalation for a user in MECM microsoft_mecm: PT-CR-1874: MECM_Not_Allowed_Operation_With_Roles: Attempt to escalate privileges using roles in MECM microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients microsoft_mecm: PT-CR-1873: MECM_Client: Connecting a new host to the infrastructure using MECM mitre_attck_execution: PT-CR-1358: PowerViewPy_Init_Connection: LDAP queries to the domain controller indicate running the Powerview.py script mitre_attck_initial_access: PT-CR-1380: Service_Account_Mail_Auth: Authorization in corporate email under a service account mitre_attck_initial_access: PT-CR-1379: Service_Account_VPN_Connect: Service account connected to the infrastructure via VPN mitre_attck_initial_access: PT-CR-2567: Logon_Via_Vuln_Scanner_Account: Login under a vulnerability scanner account from a host, which is not a vulnerability scanner server. This may indicate the account is being used by attackers. mitre_attck_initial_access: PT-CR-1381: Service_Logon_From_VPN_Network: A user logged in to an internal service or host from a VPN network under a service account microsoft_sharepoint: PT-CR-2113: Sharepoint_Logon_Of_Significant_User: A user logged in under a blacklisted account microsoft_sharepoint: PT-CR-2115: Sharepoint_Grant_User_Access: A user is granted login access to the SharePoint server clickhouse: PT-CR-1580: ClickHouse_Logon_Of_Significant_User: DBMS login under an account from the Applications_Significant_Users tabular list is detected clickhouse: PT-CR-1567: ClickHouse_Logon_Same_User_From_Different_Hosts: Attempts to log in to a DBMS under the same account from different hosts are detected clickhouse: PT-CR-1579: ClickHouse_Logon_Same_Host_Different_Users: Attempts to log in to a DBMS under different user accounts from the same host are detected microsoft_exchange: PT-CR-2361: Exchange_Blacklisted_Account_Login: A blacklisted user logged in to Exchange. This could be an attacker's attempt to escalate privileges. microsoft_exchange: PT-CR-2434: Exchange_Distribution_Group_Member_Added: Attempt to add a user to a distribution group bruteforce: PT-CR-1706: Probing_Auth_On_Various_Hosts: Multiple attempts to log in to different hosts under the same account. This may be a sign of an attacker trying to enter previously obtained credentials on various hosts in order to gain access. active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: The user renamed the AD object or requested a TGT ticket on behalf of an account that matches the name of the domain controller. This may indicate a sAMAccountName spoofing attack. It can allow an attacker to obtain a TGT ticket, for example, in the name of a domain controller, gain a foothold in the system and increase their privileges active_directory_attacks: PT-CR-656: Failed_Network_Access_With_Unknown_User: A user failed to log in to a host running Windows on behalf of a disabled or non-existent account. This may indicate account bruteforcing or compromised credentials. mitre_attck_lateral_movement: PT-CR-2462: Multiple_RDP_From_One_User_Or_Host: Multiple RDP connections from one host or account. This may indicate attacker's hidden movement from one compromised system to another. profiling: PT-CR-1063: Wifi_Abnormal_Access: Suspicious connection to Wi-Fi equipment. Authentication data differ from the collected profile. profiling: PT-CR-1782: PT_IAM_Abnormal_Access: Suspicious logon to a Positive Technologies application using IAM. Authentication data differ from the collected profile. profiling: PT-CR-2519: Infowatch_TM_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile. profiling: PT-CR-2337: PostgreSQL_Abnormal_Access: Suspicious logon to DBMS PostgreSQL. Authentication data differ from the collected profile. profiling: PT-CR-2456: FreeIPA_Abnormal_Access: Suspicious authentication in the FreeIPA domain. Authentication data differ from the previously collected profile. profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1783: Owa_Abnormal_Access: Suspicious logon to Outlook Web App. Authentication data differ from the collected profile. profiling: PT-CR-1051: KSC_Console_Abnormal_Access: Suspicious logon to the Kaspersky Security Center console. Authentication data differ from the collected profile. profiling: PT-CR-1788: Keycloak_Abnormal_Access: Suspicious logon via Keycloak. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1808: Passwork_Abnormal_Access: Suspicious logon to Passwork. Authentication data differ from the collected profile. profiling: PT-CR-1792: ADFS_Abnormal_Access: Suspicious logon via Active Directory Federation Services (AD FS). Authentication data differ from the collected profile. profiling: PT-CR-2580: Citrix_NS_ADC_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differs from the collected profile. profiling: PT-CR-1049: Subrule_Unix_Server_Abnormal_Access: Suspicious connections via SSH to Unix network servers. Authentication data differ from the collected profile. profiling: PT-CR-1791: Application_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile. profiling: PT-CR-1041: Teamcity_Abnormal_Access: Suspicious logon to TeamCity. Authentication data differ from the collected profile. profiling: PT-CR-2059: Zabbix_Abnormal_Access: Suspicious logon to Zabbix. Authentication data differs from the previously collected profile. profiling: PT-CR-1920: PTAF_Abnormal_Access: Suspicious logon to PT AF. Authentication data differ from the collected profile. profiling: PT-CR-1059: VCenter_Abnormal_Access: Suspicious logon to vCenter. Authentication data differ from the collected profile. profiling: PT-CR-1871: MECM_Abnormal_Access: Suspicious logon via Microsoft Endpoint Configuration Manager. Authentication data differ from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1054: Subrule_Teampass_Login_Successful: Logon to TeamPass profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1811: Teamcity_Abnormal_BuildConfig_Modify: Suspicious logon and build configuration changes in TeamCity. Authentication data differ from the collected profile. profiling: PT-CR-1034: App_1C_Enterprise_Abnormal_Access: Suspicious logon to 1C:Enterprise. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1050: Subrule_Windows_Host_Abnormal_Access: Suspicious logon to a critical host. Authentication data differ from the collected profile. profiling: PT-CR-1809: Gitlab_Abnormal_Access: Suspicious logon to GitLab. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1037: UsWeb_Abnormal_Access: Suspicious login to the update server web interface. Authentication data differs from the collected profile. profiling: PT-CR-1785: Teampass_Abnormal_Access: Suspicious logon to TeamPass. Authentication data differ from the collected profile. profiling: PT-CR-1784: MSSQL_Abnormal_Access: Suspicious logon to Microsoft SQL Server. Authentication data differ from the collected profile. profiling: PT-CR-1793: Confluence_Abnormal_Access: Suspicious logon to Confluence. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-2325: Grafana_Abnormal_Access: Suspicious logon to Grafana. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. profiling: PT-CR-1787: MFA_Abnormal_Access: Suspicious authentication in Multifactor. Authentication data differ from the collected profile. profiling: PT-CR-2137: Hashicorp_Vault_Abnormal_Access: Suspicious logon to Vault. Authentication data differ from the collected profile. profiling: PT-CR-218: SecurityAdmin_Abnormal_Access: Suspicious logon by a security administrator. Authentication data differ from the collected profile.

Detection

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon `(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"`

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux Note: For Windows, Security Logs events, including Event ID 4624, can be monitored to track user login behavior. For Linux, auditing frameworks that support File Integrity Monitoring (FIM), including the audit daemon (auditd), can be used to alert on changes to files that store login information. These files include: `/etc/login.defs`, `/etc/securetty`, `/var/log/faillog`, `/var/log/lastlog`, `/var/log/tallylog`. For MacOS, auditing frameworks that support capturing information on user logins, such as OSQuery, can be used to audit user account logins and authentications.

ID	DS0028	Data source and component	Logon Session: Logon Session Metadata	Description	Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ID	Data source and component	Description
DS0028	Logon Session: Logon Session Creation	Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon `(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"`
DS0002	User Account: User Account Authentication	Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux Note: For Windows, Security Logs events, including Event ID 4624, can be monitored to track user login behavior. For Linux, auditing frameworks that support File Integrity Monitoring (FIM), including the audit daemon (auditd), can be used to alert on changes to files that store login information. These files include: `/etc/login.defs`, `/etc/securetty`, `/var/log/faillog`, `/var/log/lastlog`, `/var/log/tallylog`. For MacOS, auditing frameworks that support capturing information on user logins, such as OSQuery, can be used to audit user account logins and authentications.
DS0028	Logon Session: Logon Session Metadata	Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Mitigation

ID	M1026	Name	Privileged Account Management	Description	Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.

ID	M1032	Name	Multi-factor Authentication	Description	Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

ID	M1017	Name	User Training	Description	Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

ID	Name	Description
M1026	Privileged Account Management	Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.
M1032	Multi-factor Authentication	Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
M1017	User Training	Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.