T1078.001 Google Chronicle · YARA-L

Detect Default Accounts in Google Chronicle

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those built into an OS (e.g., Guest or Administrator on Windows, root on Linux), preset on network devices/appliances, or created automatically by software integrations (e.g., vpxuser on ESXi when joined to vCenter). Adversaries exploit organizations that fail to disable, rename, or change the passwords of these accounts post-installation.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Privilege Escalation Initial Access
Technique
T1078 Valid Accounts
Sub-technique
T1078.001 Default Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1078_001_default_account_logon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects authentication using default built-in system accounts (T1078.001)"
    mitre_technique = "T1078.001"
    mitre_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $auth.metadata.event_type = "USER_LOGIN" or
      $auth.metadata.event_type = "USER_LOGIN_FAIL"
    )
    re.regex($auth.target.user.userid, `(?i)^(administrator|guest|defaultaccount|defaultuser|admin|root|vpxuser|dcadmin|sysadmin|service|support|user|test|demo|operator|sa|netadmin)$`)
    $host = $auth.principal.hostname

  match:
    $host over 24h

  outcome:
    $risk_score = 75
    $username = array_distinct($auth.target.user.userid)
    $source_ip = array_distinct($auth.principal.ip)
    $event_types = array_distinct($auth.metadata.event_type)

  condition:
    $auth
}

rule t1078_001_default_account_activation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects command-line activation or privilege escalation of default built-in accounts (T1078.001)"
    mitre_technique = "T1078.001"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.target.process.command_line, `(?i)(net\s+user\s+(defaultaccount|guest|administrator)\s+/active:yes|net\s+localgroup\s+administrators\s+(guest|defaultaccount|administrator))`)
    $host = $proc.principal.hostname

  match:
    $host over 24h

  outcome:
    $risk_score = 95
    $cmdline = array_distinct($proc.target.process.command_line)
    $actor = array_distinct($proc.principal.user.userid)

  condition:
    $proc
}
high severity high confidence

Two Chronicle YARA-L 2.0 rules targeting T1078.001. The first matches USER_LOGIN and USER_LOGIN_FAIL UDM events where target.user.userid matches known default account names via case-insensitive anchored regex; it groups by hostname over 24 hours and outputs risk score, deduplicated usernames, source IPs, and event types. The second matches PROCESS_LAUNCH events where target.process.command_line contains net user or net localgroup commands activating default accounts, assigned a higher risk score of 95 as this represents direct account manipulation.

Data Sources

Google Chronicle SIEM with Windows Security Event Log ingestion via forwarderGoogle Chronicle with Microsoft Defender for Endpoint UDM normalizationChronicle Unified Data Model (UDM) with normalized authentication and process launch events from any supported log source

Required Tables

UDM events: USER_LOGINUDM events: USER_LOGIN_FAILUDM events: PROCESS_LAUNCH

False Positives & Tuning

  • Authorized system administrators using break-glass Administrator credentials during emergency access scenarios documented in ITSM change management systems.
  • Automated provisioning pipelines using service or admin accounts to configure newly joined systems before domain integration and hardening is completed.
  • Penetration testing engagements using default credentials as part of scope-approved internal red-team assessments against managed endpoints — correlate against authorized test windows.
Download portable Sigma rule (.yml)

Other platforms for T1078.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable and Use Built-in DefaultAccount via PowerShell (Magic Hound TTP)

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net user DefaultAccount /active:yes'. Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=DefaultAccount. Windows Security Event ID 4725 (User Account Disabled) after cleanup. Security Event ID 4688 (process creation) if command-line auditing is enabled.

  2. Test 2Enable Built-in Guest Account and Verify Access

    Expected signal: Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=Guest. Windows Security Event ID 4688 or Sysmon Event ID 1 with CommandLine 'net user Guest /active:yes'. Security Event ID 4625 if subsequent logon attempt is made. Event ID 4725 on cleanup.

  3. Test 3Authenticate Using Built-in Administrator Account via Net Use (HyperStack-style IPC$ Access)

    Expected signal: Windows Security Event ID 4648 (Logon using explicit credentials) with TargetUserName=Administrator and TargetServerName=127.0.0.1. Windows Security Event ID 4624 (logon type 3 - Network) or 4625 (failed logon) on the target host. Sysmon Event ID 1 with CommandLine 'net use \\127.0.0.1\IPC$'. Sysmon Event ID 3 (network connection) to port 445.

  4. Test 4Simulate Default Service Account Logon via Scheduled Task

    Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) with task name 'DefaultAccountTest'. Windows Security Event ID 4624 (SYSTEM logon type 5) when task executes. Sysmon Event ID 1 for schtasks.exe and cmd.exe processes. Sysmon Event ID 11 (File Created) for the output file in TEMP. Security Event ID 4699 (Scheduled Task Deleted) on cleanup.

Last updated: 2026-04-13 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1078.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1078Valid Accounts

Related Sub-techniques

T1078.002Domain AccountsT1078.003Local AccountsT1078.004Cloud Accounts

Related Techniques

T1078Valid AccountsT1078.002Domain AccountsT1078.003Local AccountsT1110Brute ForceT1110.001Password GuessingT1110.003Password SprayingT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1098Account ManipulationT1136Create AccountT1212Exploitation for Credential AccessT1552.004Private Keys

Same Tactic: Defense Evasion

Popular Detections