Detect Default Accounts in IBM QRadar
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those built into an OS (e.g., Guest or Administrator on Windows, root on Linux), preset on network devices/appliances, or created automatically by software integrations (e.g., vpxuser on ESXi when joined to vCenter). Adversaries exploit organizations that fail to disable, rename, or change the passwords of these accounts post-installation.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.001 Default Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
CATEGORYNAME(category) AS event_category,
username,
sourceip,
destinationip,
"EventID",
"LogonType",
"CommandLine",
"WorkstationName",
"TargetDomainName"
FROM events
WHERE
starttime > NOW() - 86400000
AND (
(
LOWER(username) IN (
'administrator', 'guest', 'defaultaccount', 'defaultuser', 'admin',
'root', 'vpxuser', 'dcadmin', 'sysadmin', 'service', 'support',
'user', 'test', 'demo', 'operator', 'sa', 'netadmin'
)
AND "EventID" IN ('4624', '4625', '4648')
)
OR (
"EventID" = '1'
AND (
LOWER("CommandLine") LIKE '%net user defaultaccount /active:yes%'
OR LOWER("CommandLine") LIKE '%net user guest /active:yes%'
OR LOWER("CommandLine") LIKE '%net user administrator /active:yes%'
OR LOWER("CommandLine") LIKE '%net localgroup administrators guest%'
OR LOWER("CommandLine") LIKE '%net localgroup administrators defaultaccount%'
)
)
)
ORDER BY starttime DESCAQL query for IBM QRadar detecting Windows Security logon events (EventID 4624 success, 4625 failure, 4648 explicit credential) where the resolved username matches known default account names, and Sysmon process creation events (EventID 1) with command lines that activate or elevate default accounts. References custom event properties extracted by the Windows Security and Sysmon DSMs; adjust quoted property names to match your QRadar custom property names if they differ.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative use of the built-in Administrator account during patch cycles, emergency access procedures, or system recovery operations backed by a change ticket.
- Automated monitoring or vulnerability scanning tools (Nessus, Qualys, Rapid7 InsightVM) configured with default credentials for authenticated scanning during authorized assessment windows.
- Configuration management systems (Ansible, SCCM, Puppet) using service or admin accounts during initial system provisioning or scheduled software deployment runs.
Other platforms for T1078.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Use Built-in DefaultAccount via PowerShell (Magic Hound TTP)
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net user DefaultAccount /active:yes'. Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=DefaultAccount. Windows Security Event ID 4725 (User Account Disabled) after cleanup. Security Event ID 4688 (process creation) if command-line auditing is enabled.
- Test 2Enable Built-in Guest Account and Verify Access
Expected signal: Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=Guest. Windows Security Event ID 4688 or Sysmon Event ID 1 with CommandLine 'net user Guest /active:yes'. Security Event ID 4625 if subsequent logon attempt is made. Event ID 4725 on cleanup.
- Test 3Authenticate Using Built-in Administrator Account via Net Use (HyperStack-style IPC$ Access)
Expected signal: Windows Security Event ID 4648 (Logon using explicit credentials) with TargetUserName=Administrator and TargetServerName=127.0.0.1. Windows Security Event ID 4624 (logon type 3 - Network) or 4625 (failed logon) on the target host. Sysmon Event ID 1 with CommandLine 'net use \\127.0.0.1\IPC$'. Sysmon Event ID 3 (network connection) to port 445.
- Test 4Simulate Default Service Account Logon via Scheduled Task
Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) with task name 'DefaultAccountTest'. Windows Security Event ID 4624 (SYSTEM logon type 5) when task executes. Sysmon Event ID 1 for schtasks.exe and cmd.exe processes. Sysmon Event ID 11 (File Created) for the output file in TEMP. Security Event ID 4699 (Scheduled Task Deleted) on cleanup.
References (14)
- https://attack.mitre.org/techniques/T1078/001/
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
- https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.sygnia.co/blog/elephant-beetle-an-organized-financial-threat/
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722
Unlock Pro Content
Get the full detection package for T1078.001 including response playbook, investigation guide, and atomic red team tests.