T1078.002: Domain Accounts
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-1358: PowerViewPy_Init_Connection: LDAP queries to the domain controller indicate running the Powerview.py script
mitre_attck_initial_access: PT-CR-1379: Service_Account_VPN_Connect: Service account connected to the infrastructure via VPN
mitre_attck_initial_access: PT-CR-1380: Service_Account_Mail_Auth: Authorization in corporate email under a service account
mitre_attck_initial_access: PT-CR-1381: Service_Logon_from_VPN_Network: A user logged in to an internal service or host from a VPN network under a service account
supply_chain: PT-CR-1758: SupplyChain_Merge_Request_Approve_By_Creator: A user approved their own merge request
microsoft_mecm: PT-CR-1877: MECM_Create_new_roles: Creating a new role in MECM
supply_chain: PT-CR-1771: SupplyChain_Gitlab_Login_From_New_Address: A user with the Maintainer, Owner, or Developer role logged in to an application from a new address
microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients
microsoft_mecm: PT-CR-1873: MECM_Client: Connecting a new host to the infrastructure using MECM
microsoft_mecm: PT-CR-1874: MECM_not_allowed_operation_with_roles: Attempt to escalate privileges using roles in MECM
microsoft_mecm: PT-CR-1875: MECM_privileges_escalation_via_role: Privilege escalation for a user in MECM
microsoft_sharepoint: PT-CR-2113: Sharepoint_logon_of_significant_user: A user logged in under a blacklisted account
microsoft_sharepoint: PT-CR-2115: Sharepoint_grant_user_access: A user is granted login access to the SharePoint server
enterprise_1c_and_bitrix: PT-CR-670: Enterprise_1C_enable_account_and_login: A newly created user logged in
enterprise_1c_and_bitrix: PT-CR-671: Enterprise_1C_logon_same_user_from_different_terminals: Successful login from different terminals
pt_nad: PT-CR-737: NAD_SAM_account_name_spoofing: A user requested a TGT
mitre_attck_privilege_escalation: PT-CR-2434: Distribution_Group_Member_Added: Adding user to a distribution group
active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: The user renamed the AD object or requested a TGT ticket on behalf of an account that matches the name of the domain controller. This may indicate a sAMAccountName spoofing attack. It can allow an attacker to obtain a TGT ticket, for example, in the name of a domain controller, gain a foothold in the system and increase their privileges
active_directory_attacks: PT-CR-656: Failed_Network_Access_with_Unknown_User: A user failed to log in to a host running Windows on behalf of a disabled or non-existent account. This may indicate account bruteforcing or compromised credentials.
active_directory_attacks: PT-CR-87: Session_enumeration_smb: Unloading active user sessions on a specific node. This will allow an attacker to obtain information about users logged in locally or through a shared SMB network resource. Using this data will allow an attacker to gain access to the intelligence node
profiling: PT-CR-1034: App_1C_Enterprise_Abnormal_Access: Suspicious logon to 1C:Enterprise. Authentication data differ from the collected profile.
profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile.
profiling: PT-CR-1036: Mail_Abnormal_Access: Suspicious logon to an email account from a new address or mobile device. Authentication data differ from the collected profile.
profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile.
profiling: PT-CR-1041: Teamcity_Abnormal_Access: Suspicious logon to TeamCity. Authentication data differ from the collected profile.
profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile.
profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile.
profiling: PT-CR-1049: Subrule_Unix_Server_Abnormal_Access: Suspicious connections via SSH to Unix network servers. Authentication data differ from the collected profile.
profiling: PT-CR-1050: Subrule_Windows_Host_Abnormal_Access: Suspicious logon to a critical host. Authentication data differ from the collected profile.
profiling: PT-CR-1051: KSC_Console_Abnormal_Access: Suspicious logon to the Kaspersky Security Center console. Authentication data differ from the collected profile.
profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile.
profiling: PT-CR-1054: Subrule_Teampass_Login_Successful: Logon to TeamPass
profiling: PT-CR-1056: VPN_MultiUser_IP: The same IP address is used in different VPN sessions
profiling: PT-CR-1057: VPN_User_Abnormal_Access: Logon to internal resources under another users account. Authentication data differ from the collected profile.
profiling: PT-CR-1059: vCenter_Abnormal_Access: Suspicious logon to vCenter. Authentication data differ from the collected profile.
profiling: PT-CR-1063: Wifi_Abnormal_Access: Suspicious connection to Wi-Fi equipment. Authentication data differ from the collected profile.
profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile.
clickhouse: PT-CR-1567: ClickHouse_logon_same_user_from_different_hosts: Attempts to log in to a DBMS under the same account from different hosts are detected
clickhouse: PT-CR-1579: ClickHouse_logon_same_host_different_users: Attempts to log in to a DBMS under different user accounts from the same host are detected
clickhouse: PT-CR-1580: ClickHouse_logon_of_significant_user: DBMS login under an account from the ClickHouse_significant_users tabular list is detected
bruteforce: PT-CR-1706: Probing_Auth_on_Various_Hosts: Multiple attempts to log in to different hosts under the same account. This may be a sign of an attacker trying to enter previously obtained credentials on various hosts in order to gain access.
profiling: PT-CR-1782: PT_IAM_Abnormal_Access: Suspicious logon to a Positive Technologies application using IAM. Authentication data differ from the collected profile.
profiling: PT-CR-1783: Owa_Abnormal_Access: Suspicious logon to Outlook Web App. Authentication data differ from the collected profile.
profiling: PT-CR-1784: MSSQL_Abnormal_Access: Suspicious logon to Microsoft SQL Server. Authentication data differ from the collected profile.
profiling: PT-CR-1785: Teampass_Abnormal_Access: Suspicious logon to TeamPass. Authentication data differ from the collected profile.
profiling: PT-CR-1787: MFA_Abnormal_Access: Suspicious authentication in Multifactor. Authentication data differ from the collected profile.
profiling: PT-CR-1788: Keycloak_Abnormal_Access: Suspicious logon via Keycloak. Authentication data differ from the collected profile.
profiling: PT-CR-1791: Application_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile.
profiling: PT-CR-1792: ADFS_Abnormal_Access: Suspicious logon via Active Directory Federation Services (AD FS). Authentication data differ from the collected profile.
profiling: PT-CR-1793: Confluence_Abnormal_Access: Suspicious logon to Confluence. Authentication data differ from the collected profile.
profiling: PT-CR-1808: Passwork_Abnormal_Access: Suspicious logon to Passwork. Authentication data differ from the collected profile.
profiling: PT-CR-1809: Gitlab_Abnormal_Access: Suspicious logon to GitLab. Authentication data differ from the collected profile.
profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile.
profiling: PT-CR-1811: Teamcity_Abnormal_BuildConfig_Modify: Suspicious logon and build configuration changes in TeamCity. Authentication data differ from the collected profile.
profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile.
kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account
profiling: PT-CR-1871: MECM_Abnormal_Access: Suspicious logon via Microsoft Endpoint Configuration Manager. Authentication data differ from the collected profile.
profiling: PT-CR-2456: FreeIPA_Abnormal_Access: Suspicious authentication in the FreeIPA domain. Authentication data differ from the previously collected profile.
profiling: PT-CR-1920: PTAF_Abnormal_Access: Suspicious logon to PT AF. Authentication data differ from the collected profile.
profiling: PT-CR-2059: Zabbix_Abnormal_Access: Suspicious logon to Zabbix. Authentication data differs from the previously collected profile.
enterprise_1c_and_bitrix: PT-CR-668: Enterprise_1C_using_various_accounts_on_one_terminal: Logging into the system from one host under multiple accounts
enterprise_1c_and_bitrix: PT-CR-669: Enterprise_1C_logon_of_significant_user: A user logged in under a blacklisted account
profiling: PT-CR-2137: Hashicorp_Vault_Abnormal_Access: Suspicious logon to Vault. Authentication data differ from the collected profile.
profiling: PT-CR-218: SecurityAdmin_Abnormal_Access: Suspicious logon by a security administrator. Authentication data differ from the collected profile.
profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile.
profiling: PT-CR-2325: Grafana_Abnormal_Access: Suspicious logon to Grafana. Authentication data differ from the collected profile.
profiling: PT-CR-2337: PostgreSQL_Abnormal_Access: Suspicious logon to DBMS PostgreSQL. Authentication data differ from the collected profile.
Detection
ID | DS0028 | Data source and component | Logon Session: Logon Session Metadata | Description | Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
---|
ID | DS0002 | Data source and component | User Account: User Account Authentication | Description | Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux Note:
|
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Creation | Description | Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. Analytic 1 - Remote Desktop Logon
|
---|
Mitigation
ID | M1032 | Name | Multi-factor Authentication | Description | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained. |
---|
ID | M1017 | Name | User Training | Description | Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
---|