T1078

Valid Accounts

Initial Access Persistence Privilege Escalation Defense Evasion

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.

Microsoft Sentinel / Defender

kusto

// Detect anomalous logon patterns indicative of compromised valid accounts
let LookbackDays = 14d;
let AnomalyWindow = 1d;
// Baseline: countries/cities seen per user in lookback window
let UserLocationBaseline = SigninLogs
| where TimeGenerated between (ago(LookbackDays) .. ago(AnomalyWindow))
| where ResultType == 0
| summarize BaselineLocations=make_set(Location), BaselineIPs=make_set(IPAddress), BaselineApps=make_set(AppDisplayName) by UserPrincipalName;
// Recent logons to compare against baseline
let RecentLogons = SigninLogs
| where TimeGenerated > ago(AnomalyWindow)
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName,
         DeviceDetail, AuthenticationRequirement, ConditionalAccessStatus,
         RiskLevelDuringSignIn, RiskLevelAggregated, IsInteractive;
// Join and find anomalies
RecentLogons
| join kind=leftouter UserLocationBaseline on UserPrincipalName
| extend NewLocation = not(Location in (BaselineLocations))
| extend NewIP = not(IPAddress in (BaselineIPs))
| extend NewApp = not(AppDisplayName in (BaselineApps))
| extend AnomalyScore = toint(NewLocation) + toint(NewIP) + toint(NewApp)
         + toint(RiskLevelDuringSignIn in ("high", "medium"))
         + toint(ConditionalAccessStatus == "notApplied")
| where AnomalyScore >= 2 or RiskLevelDuringSignIn == "high"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName,
         NewLocation, NewIP, NewApp, AnomalyScore,
         RiskLevelDuringSignIn, RiskLevelAggregated,
         ConditionalAccessStatus, AuthenticationRequirement,
         IsInteractive, DeviceDetail
| sort by AnomalyScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Azure Active Directory Sign-In Logs

Required Tables

SigninLogs

False Positives

Legitimate travel — users accessing resources from new countries or cities during business travel
VPN or proxy changes — users switching VPN exit nodes causing IP and apparent location changes
New device enrollment — first-time access from a newly provisioned corporate device triggers 'new IP' anomaly
After-hours legitimate access — on-call engineers or executives working outside normal hours from home networks
Conditional Access policy rollout periods — new CA policies may temporarily show as 'notApplied' during staged deployment

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security"
  (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4672)
| eval LogonType=case(
    LogonType=="2", "Interactive",
    LogonType=="3", "Network",
    LogonType=="4", "Batch",
    LogonType=="5", "Service",
    LogonType=="7", "Unlock",
    LogonType=="8", "NetworkCleartext",
    LogonType=="9", "NewCredentials",
    LogonType=="10", "RemoteInteractive",
    LogonType=="11", "CachedInteractive",
    true(), "Unknown_"+LogonType)
| eval IsPrivileged=if(EventCode=="4672", 1, 0)
| eval IsFailed=if(EventCode=="4625", 1, 0)
| eval IsNewCredentials=if(EventCode=="4648", 1, 0)
| eval SuspiciousLogonType=if(LogonType IN ("NetworkCleartext", "NewCredentials"), 1, 0)
| eval IsAdminAccount=if(match(lower(TargetUserName), "(admin|svc|service|sa_|_svc|robot|automation)"), 1, 0)
| stats count as TotalEvents,
        sum(IsFailed) as FailedLogons,
        sum(IsPrivileged) as PrivilegedLogons,
        sum(IsNewCredentials) as NewCredentialUse,
        sum(SuspiciousLogonType) as SuspiciousLogonTypes,
        values(LogonType) as LogonTypes,
        values(IpAddress) as SourceIPs,
        dc(IpAddress) as UniqueSourceIPs,
        values(WorkstationName) as Workstations,
        dc(WorkstationName) as UniqueWorkstations
  by TargetUserName, TargetDomainName, _time span=1h
| eval RiskScore=SuspiciousLogonTypes*2 + if(FailedLogons>5 AND PrivilegedLogons>0, 3, 0)
               + if(UniqueSourceIPs>3, 2, 0) + if(UniqueWorkstations>4, 2, 0)
               + NewCredentialUse
| where RiskScore >= 3
| table _time, TargetUserName, TargetDomainName, TotalEvents, FailedLogons,
        PrivilegedLogons, NewCredentialUse, UniqueSourceIPs, SourceIPs,
        UniqueWorkstations, LogonTypes, RiskScore
| sort - RiskScore

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Service accounts performing scheduled tasks across multiple hosts — these legitimately generate high-volume network logon events from multiple workstations
IT administrators managing servers via RDP or PSRemoting — legitimate multi-workstation remote interactive logons from admin accounts
Password synchronization tools and SSO solutions causing 4648 (explicit credential) events in bulk during sync cycles
Backup agents and monitoring software authenticating to multiple endpoints — creates legitimate multi-source-IP logon patterns
Domain controller replication events generating multiple 4624 type 3 (network) logons between DCs

IBM QRadar (AQL)

sql

SELECT
  username AS target_user,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00') AS event_hour,
  COUNT(*) AS total_events,
  COUNT(DISTINCT sourceip) AS unique_source_ips,
  SUM(CASE WHEN eventid = 4625 THEN eventcount ELSE 0 END) AS failed_logons,
  SUM(CASE WHEN eventid = 4672 THEN eventcount ELSE 0 END) AS privileged_logons,
  SUM(CASE WHEN eventid = 4648 THEN eventcount ELSE 0 END) AS new_credential_use,
  SUM(CASE WHEN eventid = 4624 THEN eventcount ELSE 0 END) AS successful_logons,
  MIN(sourceip) AS sample_source_ip
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid IN (4624, 4625, 4648, 4672)
  AND username NOT IN ('SYSTEM', 'ANONYMOUS LOGON', '-', 'LOCAL SERVICE', 'NETWORK SERVICE')
  AND username NOT LIKE '%$'
  AND starttime > NOW() - 3600000
GROUP BY
  username,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00')
HAVING
  failed_logons > 5
  OR (unique_source_ips > 3 AND successful_logons > 0)
  OR (new_credential_use > 0 AND privileged_logons > 0)
ORDER BY total_events DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar WinCollect) Microsoft Windows Security Event Log DSM IBM QRadar Log Source Extension for Windows

Required Tables

events

False Positives

System administrators who authenticate to many managed workstations from a single jump host generate multiple 4624 events with the same sourceip, but automated inventory or patch management tools may pull credentials from several IPs, inflating unique_source_ips past the threshold during maintenance windows
Ansible, SCCM, or similar configuration management platforms that authenticate as a service account across dozens of endpoints in parallel within a single hour will reliably exceed the unique_source_ips threshold without any malicious activity
Helpdesk workflows where staff use RunAs (generating 4648) to launch an elevated tool and then perform privileged operations (generating 4672) during a support ticket are a common and entirely legitimate co-occurrence of new_credential_use and privileged_logons

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*WinEventLog* OR _sourceCategory=*Security*
| where EventCode in ("4624", "4625", "4648", "4672")
| parse regex field=Message "Account Name:\\s+(?<TargetUserName>\\S+)" nodrop
| parse regex field=Message "Account Domain:\\s+(?<TargetDomainName>\\S+)" nodrop
| parse regex field=Message "Logon Type:\\s+(?<LogonType>\\d+)" nodrop
| parse regex field=Message "Source Network Address:\\s+(?<SourceIP>[^\\s\\r\\n]+)" nodrop
| where TargetUserName != "SYSTEM" and TargetUserName != "ANONYMOUS LOGON" and TargetUserName != "-"
| where !(TargetUserName matches /.*\$$/) 
| where SourceIP != "-" and !(SourceIP matches /^$/) 
| eval IsFailed = if(EventCode == "4625", 1, 0)
| eval IsPrivileged = if(EventCode == "4672", 1, 0)
| eval IsNewCreds = if(EventCode == "4648", 1, 0)
| eval IsSuspiciousLogon = if(LogonType in ("8", "9"), 1, 0)
| eval IsAdminAccount = if(TargetUserName matches /(?i)(admin|svc|service|sa_|_svc|robot|automation)/, 1, 0)
| timeslice 1h
| stats sum(IsFailed) as FailedLogons,
        sum(IsPrivileged) as PrivilegedLogons,
        sum(IsNewCreds) as NewCredentialUse,
        sum(IsSuspiciousLogon) as SuspiciousLogons,
        sum(IsAdminAccount) as AdminAccountEvents,
        count_distinct(SourceIP) as UniqueSourceIPs,
        count as TotalEvents
  by _timeslice, TargetUserName, TargetDomainName
| eval RiskScore = (SuspiciousLogons * 2)
                 + if(FailedLogons > 5 and PrivilegedLogons > 0, 3, 0)
                 + if(UniqueSourceIPs > 3, 2, 0)
                 + NewCredentialUse
                 + (AdminAccountEvents > 0 ? 1 : 0)
| where RiskScore >= 3
| sort by RiskScore desc

high severity medium confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Windows Event Log Source) Sumo Logic Cloud Syslog for Windows Event Forwarding

Required Tables

_sourceCategory (WinEventLog/Security or equivalent)

False Positives

Users connecting through Citrix Virtual Apps or a terminal services gateway may authenticate from multiple backend proxy IPs within a single hour, inflating UniqueSourceIPs past the threshold without any credential compromise
Robotic Process Automation (RPA) tools that use NetworkCleartext (type 8) logons against legacy web applications or mainframe connectors as part of scheduled automation workflows will consistently score as suspicious logon types
Shared administrator accounts used simultaneously by multiple helpdesk analysts from their individual workstations generate high UniqueSourceIPs counts and may also trigger admin-account pattern matching even during fully authorized operations

Google Chronicle / SecOps

yaral

rule t1078_valid_accounts_failed_then_privileged_logon {
  meta:
    author = "Detection Engineering"
    description = "Detects T1078 Valid Accounts abuse: 5+ failed authentication events followed within one hour by a successful logon with elevated privileges or suspicious authentication mechanism"
    mitre_attack_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1078"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $fail.metadata.event_type = "USER_LOGIN_FAIL"
    $fail.metadata.vendor_name = "Microsoft"
    $fail.target.user.userid != ""
    not re.regex($fail.target.user.userid, `(?i)^(SYSTEM|ANONYMOUS LOGON|LOCAL SERVICE|NETWORK SERVICE)$`)
    not re.regex($fail.target.user.userid, `\$$`)
    $user = $fail.target.user.userid

    $success.metadata.event_type = "USER_LOGIN"
    $success.target.user.userid = $user
    (
      $success.extensions.auth.auth_details = "NetworkCleartext" or
      $success.extensions.auth.auth_details = "NewCredentials" or
      $success.extensions.auth.auth_details = "RemoteInteractive" or
      $success.extensions.auth.mechanism = "REMOTE" or
      $success.security_result.severity_details = "HIGH"
    )

  match:
    $user over 1h

  condition:
    #fail > 5 and #success >= 1
}

high severity high confidence

Data Sources

Google Chronicle UDM Microsoft Windows Security Events (via Chronicle Windows Sensor or Forwarder) Azure AD Sign-in Logs (via Chronicle Azure AD ingestion)

Required Tables

UDM Events — event_type: USER_LOGIN, USER_LOGIN_FAIL

False Positives

Users who repeatedly mistype a complex new password after a forced reset before successfully authenticating via an RDP gateway will satisfy the 5-failure threshold and match RemoteInteractive in the success event
Automated testing or synthetic monitoring agents that deliberately attempt credential validation (expecting failures) before performing a confirmation successful logon as part of identity health checks
Azure AD B2B guest account federation flows where the initial authentication attempts fail against the home tenant before succeeding through an external IdP, generating failure UDM events prior to the successful federated logon

CrowdStrike LogScale (CQL)

cql

// T1078 - Valid Accounts: Anomalous authentication risk scoring via Falcon telemetry
#event_simpleName in ("UserLogon", "UserLogonFailed2", "UserLogonV2")
| IsFailure := if(#event_simpleName = "UserLogonFailed2", "true", "false")
| groupBy([UserName, UserSid], function=[
    count(as=TotalEvents),
    count(filter={IsFailure = "true"}, as=FailedLogons),
    count(filter={IsFailure = "false"}, as=SuccessfulLogons),
    count(distinct=RemoteAddressIP4, as=UniqueSourceIPs),
    count(distinct=ComputerName, as=UniqueHosts),
    collect(RemoteAddressIP4, limit=10, as=SourceIPList),
    collect(ComputerName, limit=10, as=HostList)
  ], limit=10000)
| FailedLogons := toInt(FailedLogons)
| SuccessfulLogons := toInt(SuccessfulLogons)
| UniqueSourceIPs := toInt(UniqueSourceIPs)
| UniqueHosts := toInt(UniqueHosts)
| RiskScore := if(FailedLogons > 5 and SuccessfulLogons > 0, 3, 0)
             + if(UniqueSourceIPs > 3, 2, 0)
             + if(UniqueHosts > 4, 2, 0)
| where RiskScore >= 3
| where UserName != "" and UserName != "-"
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring (EAM) CrowdStrike Falcon Identity Protection CrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName: UserLogon, UserLogonFailed2, UserLogonV2

False Positives

Falcon sensor deployment or mass update events generate synthetic logon telemetry across large numbers of hosts simultaneously, potentially inflating UniqueHosts counts for system or installer accounts beyond the detection threshold
Users connecting to cloud workloads through a cloud access security broker (CASB) or identity proxy that routes authentication through multiple egress IPs within a single session will exceed the UniqueSourceIPs threshold without any malicious activity
DevOps pipelines that authenticate a shared service account against multiple ephemeral build agents, Kubernetes nodes, or cloud VM instances during CI/CD runs will consistently exceed both the UniqueHosts and SuccessfulLogons thresholds as normal pipeline behavior

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Valid Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Initial Access

Popular Detections