T1078.001 Default Accounts Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let DefaultAccountNames = dynamic([
  "administrator", "guest", "defaultaccount", "defaultuser", "admin",
  "root", "vpxuser", "dcadmin", "sysadmin", "service", "support",
  "user", "test", "demo", "operator", "sa", "netadmin"
]);
let SuspiciousLogonTypes = dynamic([2, 3, 7, 10]);
// Part 1: Windows Security Logon Events for default account usage
let WindowsLogons = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4624, 4625, 4648)
| where tolower(TargetUserName) in (DefaultAccountNames)
| extend LogonTypeName = case(
    LogonType == 2, "Interactive",
    LogonType == 3, "Network",
    LogonType == 7, "Unlock",
    LogonType == 10, "RemoteInteractive",
    LogonType == 4, "Batch",
    LogonType == 5, "Service",
    tostring(LogonType)
  )
| extend IsFailedLogon = (EventID == 4625)
| extend IsExplicitCred = (EventID == 4648)
| project
    TimeGenerated,
    Computer,
    EventID,
    TargetUserName,
    TargetDomainName,
    LogonType,
    LogonTypeName,
    IpAddress,
    WorkstationName,
    IsFailedLogon,
    IsExplicitCred,
    SubjectUserName,
    SubjectDomainName
| extend AlertSource = "WindowsSecurityLogon";
// Part 2: Defender for Endpoint DeviceLogonEvents
let MdeLogons = DeviceLogonEvents
| where Timestamp > ago(24h)
| where tolower(AccountName) in (DefaultAccountNames)
| extend IsFailedLogon = (ActionType == "LogonFailed")
| project
    TimeGenerated = Timestamp,
    Computer = DeviceName,
    EventID = 0,
    TargetUserName = AccountName,
    TargetDomainName = AccountDomain,
    LogonType,
    LogonTypeName = LogonType,
    IpAddress = RemoteIP,
    WorkstationName = RemoteDeviceName,
    IsFailedLogon,
    IsExplicitCred = false,
    SubjectUserName = InitiatingProcessAccountName,
    SubjectDomainName = InitiatingProcessAccountDomain
| extend AlertSource = "MDE";
// Part 3: Command-line evidence of default account manipulation
let DefaultAccountCmdline = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "net user defaultaccount /active:yes",
    "net user guest /active:yes",
    "net user administrator /active:yes",
    "DefaultAccount",
    "net localgroup administrators guest",
    "net localgroup administrators defaultaccount"
  )
| project
    TimeGenerated = Timestamp,
    Computer = DeviceName,
    EventID = 0,
    TargetUserName = AccountName,
    TargetDomainName = AccountDomain,
    LogonType = 0,
    LogonTypeName = "ProcessExecution",
    IpAddress = "",
    WorkstationName = "",
    IsFailedLogon = false,
    IsExplicitCred = false,
    SubjectUserName = InitiatingProcessAccountName,
    SubjectDomainName = InitiatingProcessAccountDomain
| extend AlertSource = "CmdlineActivity";
WindowsLogons
| union MdeLogons
| union DefaultAccountCmdline
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Process: Process Creation Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

SecurityEvent DeviceLogonEvents DeviceProcessEvents

False Positives

Legitimate administrator accounts named 'Administrator' used by IT staff for maintenance tasks in environments without privileged access workstations (PAWs)
Automated deployment or imaging systems that authenticate with the built-in Administrator account during machine provisioning (SCCM OSD, MDT)
Legacy applications or services running under the built-in Guest or Administrator context that have not been migrated to service accounts
Penetration testing or red team exercises explicitly testing default credential scenarios
Database administrators legitimately connecting via 'sa' account to SQL Server instances in older environments

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
  (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=1)
| eval TargetUser=coalesce(TargetUserName, User)
| eval TargetUser_lower=lower(TargetUser)
| eval is_default_account=if(
    TargetUser_lower IN ("administrator", "guest", "defaultaccount", "defaultuser", "admin",
                         "root", "vpxuser", "dcadmin", "sysadmin", "service", "support",
                         "user", "test", "demo", "operator", "sa", "netadmin"),
    1, 0
  )
| eval is_default_cmdline=if(
    EventCode=1 AND (
      match(lower(CommandLine), "net user defaultaccount /active:yes") OR
      match(lower(CommandLine), "net user guest /active:yes") OR
      match(lower(CommandLine), "net user administrator /active:yes") OR
      match(lower(CommandLine), "net localgroup administrators (guest|defaultaccount|administrator)")
    ),
    1, 0
  )
| where is_default_account=1 OR is_default_cmdline=1
| eval EventType=case(
    EventCode=4624, "SuccessfulLogon",
    EventCode=4625, "FailedLogon",
    EventCode=4648, "ExplicitCredentialLogon",
    EventCode=1,    "ProcessCreation",
    true(),         "Unknown"
  )
| eval LogonTypeLabel=case(
    LogonType="2",  "Interactive",
    LogonType="3",  "Network",
    LogonType="7",  "Unlock",
    LogonType="10", "RemoteInteractive",
    LogonType="4",  "Batch",
    LogonType="5",  "Service",
    LogonType!="",  "LogonType_".LogonType,
    true(),          "N/A"
  )
| eval SourceIP=coalesce(IpAddress, SourceAddress)
| table _time, host, EventCode, EventType, TargetUser, TargetDomainName, LogonTypeLabel, SourceIP, WorkstationName, SubjectUserName, CommandLine, is_default_cmdline
| sort - _time

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Process: Process Creation Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate administrator accounts named 'Administrator' used by IT staff for maintenance tasks in environments without privileged access workstations (PAWs)
Automated deployment or imaging systems that authenticate with the built-in Administrator account during machine provisioning (SCCM OSD, MDT)
Legacy applications or services running under the built-in Guest or Administrator context that have not been migrated to service accounts
Penetration testing or red team exercises explicitly testing default credential scenarios
Database administrators legitimately connecting via 'sa' account to SQL Server instances in older environments

Elastic Security (EQL)

eql

any where
  (
    event.category == "authentication" and
    event.outcome in ("success", "failure") and
    user.name regex~ "^(administrator|guest|defaultaccount|defaultuser|admin|root|vpxuser|dcadmin|sysadmin|service|support|user|test|demo|operator|sa|netadmin)$"
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.command_line like~ (
      "*net user defaultaccount /active:yes*",
      "*net user guest /active:yes*",
      "*net user administrator /active:yes*",
      "*net localgroup administrators guest*",
      "*net localgroup administrators defaultaccount*"
    )
  )

high severity high confidence

Data Sources

Windows Security Event Log via Winlogbeat or Elastic Agent Sysmon via Winlogbeat or Elastic Agent Linux auditd via Filebeat auditd module Elastic Endpoint (endpoint.events.process, endpoint.events.authentication)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.authentication-* winlogbeat-* .ds-logs-system.security-*

False Positives

IT administrators legitimately using the built-in Administrator account for system maintenance or break-glass scenarios in environments that permit it by policy.
Service accounts with generic names (sa, service, admin) configured by legacy applications or middleware that predate organizational naming conventions.
Development, staging, or QA environments where demo, test, or guest accounts are routinely used for lab exercises and automated integration testing pipelines.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  destinationip,
  "EventID",
  "LogonType",
  "CommandLine",
  "WorkstationName",
  "TargetDomainName"
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    (
      LOWER(username) IN (
        'administrator', 'guest', 'defaultaccount', 'defaultuser', 'admin',
        'root', 'vpxuser', 'dcadmin', 'sysadmin', 'service', 'support',
        'user', 'test', 'demo', 'operator', 'sa', 'netadmin'
      )
      AND "EventID" IN ('4624', '4625', '4648')
    )
    OR (
      "EventID" = '1'
      AND (
        LOWER("CommandLine") LIKE '%net user defaultaccount /active:yes%'
        OR LOWER("CommandLine") LIKE '%net user guest /active:yes%'
        OR LOWER("CommandLine") LIKE '%net user administrator /active:yes%'
        OR LOWER("CommandLine") LIKE '%net localgroup administrators guest%'
        OR LOWER("CommandLine") LIKE '%net localgroup administrators defaultaccount%'
      )
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar Windows Security Event Log DSM IBM QRadar Microsoft Sysmon DSM WinCollect agent collecting Windows Security and Sysmon event logs from endpoints

Required Tables

events

False Positives

Legitimate administrative use of the built-in Administrator account during patch cycles, emergency access procedures, or system recovery operations backed by a change ticket.
Automated monitoring or vulnerability scanning tools (Nessus, Qualys, Rapid7 InsightVM) configured with default credentials for authenticated scanning during authorized assessment windows.
Configuration management systems (Ansible, SCCM, Puppet) using service or admin accounts during initial system provisioning or scheduled software deployment runs.

Sumo Logic CSE

sql

(_sourceCategory=*windows/security* OR _sourceCategory=*windows/sysmon*)
| where EventCode in ("4624","4625","4648","1")
| eval TargetUser = if(!isNull(TargetUserName), TargetUserName, if(!isNull(User), User, ""))
| eval TargetUser_lower = toLowerCase(TargetUser)
| where (TargetUser_lower in ("administrator","guest","defaultaccount","defaultuser","admin","root","vpxuser","dcadmin","sysadmin","service","support","user","test","demo","operator","sa","netadmin"))
  OR (EventCode = "1" AND (
    matches(toLowerCase(CommandLine), "net user (defaultaccount|guest|administrator) /active:yes")
    OR matches(toLowerCase(CommandLine), "net localgroup administrators (guest|defaultaccount|administrator)")
  ))
| eval EventType = if(EventCode="4624","SuccessfulLogon",if(EventCode="4625","FailedLogon",if(EventCode="4648","ExplicitCredentialLogon",if(EventCode="1","ProcessCreation","Unknown"))))
| eval LogonTypeLabel = if(LogonType="2","Interactive",if(LogonType="3","Network",if(LogonType="7","Unlock",if(LogonType="10","RemoteInteractive",if(LogonType="4","Batch",if(LogonType="5","Service",LogonType))))))
| fields _messageTime, _sourceHost, EventCode, EventType, TargetUser_lower as TargetUser, LogonTypeLabel, IpAddress, WorkstationName, CommandLine
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Security Event Log source via Installed Collector Sumo Logic Sysmon source via Installed Collector Sumo Logic OpenTelemetry Collector with Windows Event Log receiver

Required Tables

_sourceCategory=*windows/security* _sourceCategory=*windows/sysmon*

False Positives

Helpdesk and IT operations staff with documented break-glass procedures using the built-in Administrator account during outages or access recovery scenarios approved in ITSM.
Security scanning tools (Nessus, Qualys, Rapid7) using default credentials for authenticated scanning of internal assets during authorized and scheduled assessment windows.
Containerized or virtualized workloads using generic account names (admin, service, test) that are isolated, non-domain-joined, and explicitly permitted by application security policy.

Google Chronicle / SecOps

yaral

rule t1078_001_default_account_logon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects authentication using default built-in system accounts (T1078.001)"
    mitre_technique = "T1078.001"
    mitre_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $auth.metadata.event_type = "USER_LOGIN" or
      $auth.metadata.event_type = "USER_LOGIN_FAIL"
    )
    re.regex($auth.target.user.userid, `(?i)^(administrator|guest|defaultaccount|defaultuser|admin|root|vpxuser|dcadmin|sysadmin|service|support|user|test|demo|operator|sa|netadmin)$`)
    $host = $auth.principal.hostname

  match:
    $host over 24h

  outcome:
    $risk_score = 75
    $username = array_distinct($auth.target.user.userid)
    $source_ip = array_distinct($auth.principal.ip)
    $event_types = array_distinct($auth.metadata.event_type)

  condition:
    $auth
}

rule t1078_001_default_account_activation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects command-line activation or privilege escalation of default built-in accounts (T1078.001)"
    mitre_technique = "T1078.001"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.target.process.command_line, `(?i)(net\s+user\s+(defaultaccount|guest|administrator)\s+/active:yes|net\s+localgroup\s+administrators\s+(guest|defaultaccount|administrator))`)
    $host = $proc.principal.hostname

  match:
    $host over 24h

  outcome:
    $risk_score = 95
    $cmdline = array_distinct($proc.target.process.command_line)
    $actor = array_distinct($proc.principal.user.userid)

  condition:
    $proc
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Security Event Log ingestion via forwarder Google Chronicle with Microsoft Defender for Endpoint UDM normalization Chronicle Unified Data Model (UDM) with normalized authentication and process launch events from any supported log source

Required Tables

UDM events: USER_LOGIN UDM events: USER_LOGIN_FAIL UDM events: PROCESS_LAUNCH

False Positives

Authorized system administrators using break-glass Administrator credentials during emergency access scenarios documented in ITSM change management systems.
Automated provisioning pipelines using service or admin accounts to configure newly joined systems before domain integration and hardening is completed.
Penetration testing engagements using default credentials as part of scope-approved internal red-team assessments against managed endpoints — correlate against authorized test windows.

CrowdStrike LogScale (CQL)

cql

union(
  {
    (#event_simpleName=UserLogon OR #event_simpleName=UserLogonFailed2)
    | UserName = /(?i)^(administrator|guest|defaultaccount|defaultuser|admin|root|vpxuser|dcadmin|sysadmin|service|support|user|test|demo|operator|sa|netadmin)$/
    | eval(EventType="DefaultAccountLogon")
  },
  {
    #event_simpleName=ProcessRollup2
    | CommandLine = regex("(?i)(net\s+user\s+(defaultaccount|guest|administrator)\s+/active:yes|net\s+localgroup\s+administrators\s+(guest|defaultaccount|administrator))")
    | eval(EventType="DefaultAccountActivation")
  }
)
| table([_time, ComputerName, UserName, UserPrincipalName, LogonType_decimal, RemoteIP, CommandLine, EventType, #event_simpleName])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint sensor — UserLogon and UserLogonFailed2 telemetry CrowdStrike Falcon Endpoint sensor — ProcessRollup2 process creation telemetry CrowdStrike Falcon Data Replicator (FDR) pipeline or Falcon LogScale SIEM

Required Tables

UserLogon UserLogonFailed2 ProcessRollup2

False Positives

IT staff accessing servers using local Administrator accounts during domain-disconnected maintenance windows, disaster recovery procedures, or when domain controllers are unreachable.
Security operations teams running authorized adversary simulation (red team) or purple team exercises using default credentials against scoped target systems within approved test windows.
Automated Ansible, Chef, or Puppet configuration management runs that authenticate with local service or admin accounts to complete node configuration tasks during deployment pipelines.

Default Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections