T1078.002

Domain Accounts

Defense Evasion Persistence Privilege Escalation Initial Access

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

Microsoft Sentinel / Defender

kusto

// T1078.002 — Domain Account Abuse Detection
// Detects suspicious use of domain accounts across multiple high-fidelity signals
let LookbackWindow = 24h;
let SuspiciousLogonTypes = dynamic([3, 10]); // Network and RemoteInteractive
let SensitiveGroups = dynamic(["Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators"]);
let BruteForceThreshold = 5;
// Signal 1: Successful logon after multiple failures (potential credential stuffing)
let BruteForceSuccess =
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID in (4624, 4625)
    | where AccountType == "User" and TargetDomainName != "" and TargetDomainName != "NT AUTHORITY"
    | summarize
        FailureCount = countif(EventID == 4625),
        SuccessCount = countif(EventID == 4624),
        SuccessTime = maxif(TimeGenerated, EventID == 4624),
        FailureTime = minif(TimeGenerated, EventID == 4625),
        LogonTypes = make_set(LogonType),
        SourceIPs = make_set(IpAddress)
      by TargetUserName, TargetDomainName, Computer
    | where FailureCount >= BruteForceThreshold and SuccessCount >= 1
    | extend SignalType = "BruteForceSuccess", Severity = "High"
    | project TargetUserName, TargetDomainName, Computer, SignalType, Severity, FailureCount, SuccessCount, SourceIPs, LogonTypes;
// Signal 2: Domain account logon from unusual/new workstation (lateral movement indicator)
let LateralMovement =
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4624
    | where LogonType in (SuspiciousLogonTypes)
    | where AccountType == "User"
    | where TargetDomainName != "" and TargetDomainName != "NT AUTHORITY" and TargetDomainName != "Window Manager"
    | where not(TargetUserName endswith "$") // Exclude machine accounts
    | summarize
        UniqueWorkstations = dcount(Computer),
        Workstations = make_set(Computer),
        SourceIPs = make_set(IpAddress),
        LogonCount = count()
      by TargetUserName, TargetDomainName, bin(TimeGenerated, 1h)
    | where UniqueWorkstations >= 3
    | extend SignalType = "LateralMovement", Severity = "High"
    | project TargetUserName, TargetDomainName, SignalType, Severity, UniqueWorkstations, Workstations, SourceIPs, LogonCount;
// Signal 3: Sensitive group member account used in off-hours network logon
let SensitiveAccountLogon =
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4624
    | where LogonType == 3
    | where AccountType == "User"
    | where TargetDomainName != "" and TargetDomainName != "NT AUTHORITY"
    | where not(TargetUserName endswith "$")
    | extend HourOfDay = datetime_part("Hour", TimeGenerated)
    | where HourOfDay !between (7 .. 19) // Off-hours: before 7am or after 7pm
    | join kind=inner (
        SecurityEvent
        | where TimeGenerated > ago(LookbackWindow)
        | where EventID == 4728 or EventID == 4732 // Member added to security-enabled group
        | extend SensitiveGroupMember = TargetUserName
    ) on $left.TargetUserName == $right.SensitiveGroupMember
    | project TimeGenerated, TargetUserName, TargetDomainName, Computer, IpAddress, LogonType
    | extend SignalType = "SensitiveAccountOffHoursLogon", Severity = "Critical";
// Signal 4: Domain account used to create new service or scheduled task (persistence)
let PersistenceViaAccount =
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID in (4697, 4698) // Service installed, Scheduled task created
    | where SubjectDomainName != "" and SubjectDomainName != "NT AUTHORITY" and SubjectDomainName != "SYSTEM"
    | where not(SubjectUserName endswith "$")
    | project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, EventID,
        TaskName = iff(EventID == 4698, TaskName, ServiceName),
        SignalType = "PersistenceInstallation", Severity = "High";
// Combine all signals
BruteForceSuccess
| extend TimeGenerated = now()
| union (
    LateralMovement
    | extend TimeGenerated = now(), Computer = tostring(Workstations[0])
)
| union (
    SensitiveAccountLogon
    | project TargetUserName, TargetDomainName, Computer, SignalType, Severity, TimeGenerated
    | extend FailureCount = int(null), SuccessCount = int(null), SourceIPs = dynamic(null), LogonTypes = dynamic(null)
)
| union (
    PersistenceViaAccount
    | project TargetUserName = SubjectUserName, TargetDomainName = SubjectDomainName, Computer, SignalType, Severity, TimeGenerated
    | extend FailureCount = int(null), SuccessCount = int(null), SourceIPs = dynamic(null), LogonTypes = dynamic(null)
)
| project TimeGenerated, TargetUserName, TargetDomainName, Computer, SignalType, Severity
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Windows Event Log: Security Active Directory: Active Directory Object Modification

Required Tables

SecurityEvent

False Positives

Legitimate IT administrators performing authorized after-hours maintenance, patching, or incident response across multiple systems
Service accounts that traverse many workstations as part of normal operations (e.g., backup agents, antivirus, patch management)
Automated software deployment systems (SCCM, Intune, Ansible) that authenticate to many systems in rapid succession
Password policy enforcement causing legitimate users to fail multiple times before successfully entering a new password
Helpdesk staff using domain admin credentials to perform authorized remote support across multiple machines

Splunk

spl

| tstats summariesonly=false count as TotalEvents,
    count(eval(EventCode=4624)) as SuccessCount,
    count(eval(EventCode=4625)) as FailureCount
    from datamodel=Authentication
    where nodename=Authentication.Failed_Authentication OR nodename=Authentication.Successful_Authentication
    by Authentication.user, Authentication.src, Authentication.dest, _time span=1h
| fields - _timediff

```
Use the raw search below for full fidelity:
```

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4672 OR EventCode=4697 OR EventCode=4698)
| eval LogonType=if(EventCode=4624 OR EventCode=4625, LogonType, "N/A")
| eval AccountDomain=coalesce(TargetDomainName, SubjectDomainName)
| eval AccountName=coalesce(TargetUserName, SubjectUserName)
| where AccountDomain!="" AND AccountDomain!="NT AUTHORITY" AND AccountDomain!="Window Manager" AND AccountDomain!="Font Driver Host"
| where NOT match(AccountName, "\$$")  `comment("Exclude machine accounts")`
| eval EventType=case(
    EventCode=4624, "SuccessfulLogon",
    EventCode=4625, "FailedLogon",
    EventCode=4648, "ExplicitCredentialUse",
    EventCode=4672, "SpecialPrivilegeLogon",
    EventCode=4697, "ServiceInstalled",
    EventCode=4698, "ScheduledTaskCreated",
    true(), "Other"
  )
| eval IsNetworkLogon=if(EventCode=4624 AND LogonType=3, 1, 0)
| eval IsRemoteInteractive=if(EventCode=4624 AND LogonType=10, 1, 0)
| eval IsOffHours=if(tonumber(strftime(_time, "%H")) < 7 OR tonumber(strftime(_time, "%H")) > 19, 1, 0)
| eval IsExplicitCred=if(EventCode=4648, 1, 0)
| eval IsPersistence=if(EventCode=4697 OR EventCode=4698, 1, 0)
| eval SignalScore=IsNetworkLogon + IsRemoteInteractive + IsOffHours + IsExplicitCred + IsPersistence
| stats
    count as TotalEvents,
    sum(eval(EventCode=4624)) as SuccessLogons,
    sum(eval(EventCode=4625)) as FailedLogons,
    sum(IsNetworkLogon) as NetworkLogons,
    sum(IsRemoteInteractive) as RemoteInteractiveLogons,
    sum(IsOffHours) as OffHoursEvents,
    sum(IsExplicitCred) as ExplicitCredentialUse,
    sum(IsPersistence) as PersistenceEvents,
    dc(ComputerName) as UniqueDestinations,
    values(ComputerName) as Destinations,
    values(IpAddress) as SourceIPs,
    values(EventType) as ObservedEventTypes,
    max(SignalScore) as MaxSignalScore
  by AccountName, AccountDomain
| eval RiskScore=SuccessLogons + (FailedLogons * 0.5) + (NetworkLogons * 2) + (RemoteInteractiveLogons * 2) + (OffHoursEvents * 3) + (ExplicitCredentialUse * 4) + (PersistenceEvents * 5) + (if(UniqueDestinations >= 3, UniqueDestinations * 2, 0)) + (if(FailedLogons >= 5 AND SuccessLogons >= 1, 20, 0))
| eval Severity=case(
    RiskScore >= 50, "Critical",
    RiskScore >= 25, "High",
    RiskScore >= 10, "Medium",
    true(), "Low"
  )
| where RiskScore >= 10
| eval BruteForceIndicator=if(FailedLogons >= 5 AND SuccessLogons >= 1, "YES", "NO")
| eval LateralMovementIndicator=if(UniqueDestinations >= 3 AND NetworkLogons >= 3, "YES", "NO")
| eval PersistenceIndicator=if(PersistenceEvents >= 1, "YES", "NO")
| table _time, AccountName, AccountDomain, RiskScore, Severity, BruteForceIndicator, LateralMovementIndicator, PersistenceIndicator, TotalEvents, SuccessLogons, FailedLogons, NetworkLogons, UniqueDestinations, Destinations, SourceIPs, ExplicitCredentialUse, OffHoursEvents
| sort - RiskScore

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Windows Event Log: Security

Required Sourcetypes

WinEventLog:Security

False Positives

Legitimate IT administrators performing authorized after-hours maintenance, patching, or incident response across multiple systems
Service accounts that traverse many workstations as part of normal operations (e.g., backup agents, antivirus, patch management)
Automated software deployment systems (SCCM, Intune, Ansible) that authenticate to many systems in rapid succession
Password policy enforcement causing legitimate users to fail multiple times before successfully entering a new password
Helpdesk staff using domain admin credentials to perform authorized remote support across multiple machines

Elastic Security (EQL)

eql

sequence by user.name, user.domain with maxspan=1h
  [authentication where event.category == "authentication" and event.outcome == "failure"
   and user.domain != "NT AUTHORITY" and user.domain != ""
   and not wildcard(user.name, "*$")]
  with runs=5
  [authentication where event.category == "authentication" and event.outcome == "success"
   and user.domain != "NT AUTHORITY" and user.domain != ""
   and not wildcard(user.name, "*$")]

// Lateral Movement: same account authenticating to 3+ unique hosts
// Run as separate query:
// sequence by user.name with maxspan=1h
//   [authentication where event.outcome == "success" and network.type == "ipv4"
//    and winlog.event_data.LogonType in ("3", "10")
//    and user.domain != "NT AUTHORITY" and not wildcard(user.name, "*$")] with runs=3

// Persistence: domain account creating service or scheduled task
// sequence by user.name with maxspan=24h
//   [authentication where event.outcome == "success"]
//   [any where event.code in ("4697", "4698") and user.domain != "NT AUTHORITY"]

high severity high confidence

Data Sources

Windows Security Event Log (via Elastic Agent / Winlogbeat) Elastic SIEM — authentication data stream winlogbeat-* or logs-endpoint.events.* indices

Required Tables

logs-endpoint.events.authentication-* winlogbeat-* .siem-signals-*

False Positives

Automated service account health checks that use network logon (type 3) across multiple hosts during off-hours maintenance windows, generating high failure counts before a successful connection.
Legitimate IT administrators performing after-hours patch deployment or domain-wide GPO pushes, causing burst logon activity across many workstations that triggers the lateral movement threshold.
Password expiry enforcement tools that attempt legacy NTLM authentication multiple times before falling back to Kerberos, creating a pattern of failures followed by success that mimics credential stuffing.

IBM QRadar (AQL)

sql

-- Signal 1: Brute-Force Success (5+ failures then success within 1h)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  username AS AccountName,
  domain AS AccountDomain,
  sourceip AS SourceIP,
  destinationip AS DestinationHost,
  SUM(CASE WHEN qideventid = 4625 THEN 1 ELSE 0 END) AS FailedLogons,
  SUM(CASE WHEN qideventid = 4624 THEN 1 ELSE 0 END) AS SuccessLogons,
  'BruteForceSuccess' AS SignalType,
  'High' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
  AND qideventid IN (4624, 4625)
  AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager', 'Font Driver Host')
  AND username NOT LIKE '%$'
  AND starttime > (NOW() - 86400000)
GROUP BY username, domain, sourceip, destinationip
HAVING
  SUM(CASE WHEN qideventid = 4625 THEN 1 ELSE 0 END) >= 5
  AND SUM(CASE WHEN qideventid = 4624 THEN 1 ELSE 0 END) >= 1

UNION ALL

-- Signal 2: Lateral Movement (3+ unique destinations, network logon type 3 or 10)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  username AS AccountName,
  domain AS AccountDomain,
  sourceip AS SourceIP,
  'Multiple-Hosts' AS DestinationHost,
  COUNT(*) AS FailedLogons,
  COUNT(DISTINCT destinationip) AS SuccessLogons,
  'LateralMovement' AS SignalType,
  'High' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND qideventid = 4624
  AND LONG("LogonType") IN (3, 10)
  AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager')
  AND username NOT LIKE '%$'
  AND starttime > (NOW() - 86400000)
GROUP BY username, domain, sourceip
HAVING COUNT(DISTINCT destinationip) >= 3

UNION ALL

-- Signal 3: Off-Hours Domain Account Logon
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  username AS AccountName,
  domain AS AccountDomain,
  sourceip AS SourceIP,
  destinationip AS DestinationHost,
  0 AS FailedLogons,
  1 AS SuccessLogons,
  'OffHoursSensitiveLogon' AS SignalType,
  'Critical' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND qideventid = 4624
  AND LONG("LogonType") = 3
  AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager')
  AND username NOT LIKE '%$'
  AND (EXTRACT(HOUR FROM starttime) < 7 OR EXTRACT(HOUR FROM starttime) > 19)
  AND starttime > (NOW() - 86400000)

UNION ALL

-- Signal 4: Persistence via Service or Scheduled Task
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  username AS AccountName,
  domain AS AccountDomain,
  sourceip AS SourceIP,
  destinationip AS DestinationHost,
  0 AS FailedLogons,
  0 AS SuccessLogons,
  'PersistenceInstallation' AS SignalType,
  'High' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND qideventid IN (4697, 4698)
  AND domain NOT IN ('NT AUTHORITY', '', 'SYSTEM')
  AND username NOT LIKE '%$'
  AND starttime > (NOW() - 86400000)

ORDER BY FirstSeen DESC

high severity high confidence

Data Sources

IBM QRadar — Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) QRadar Universal DSM for Windows events QRadar Network Activity for flow correlation

Required Tables

events (QRadar event pipeline) flows (optional for network correlation)

False Positives

Enterprise backup agents using domain service accounts to authenticate across dozens of servers nightly, triggering the lateral movement threshold with legitimate network logon (type 3) activity.
Helpdesk staff performing remote interactive (type 10) logons to multiple user workstations during a single shift for troubleshooting, crossing the 3-destination threshold within the lookback window.
Scheduled PowerShell remoting jobs that invoke credentials explicitly (4648) against multiple hosts in off-hours maintenance windows, scoring high on the risk model without adversarial intent.

Sumo Logic CSE

sql

// T1078.002 — Domain Account Abuse | Sumo Logic CSE / CIP Query
// Covers: brute-force success, lateral movement, off-hours logon, persistence

_sourceCategory=*windows* OR _sourceCategory=*wineventlog* OR _sourceCategory=*security*
| parse field=_raw "EventCode=*" as EventCode nodrop
| parse field=_raw "TargetUserName=*" as TargetUserName nodrop
| parse field=_raw "TargetDomainName=*" as TargetDomainName nodrop
| parse field=_raw "SubjectUserName=*" as SubjectUserName nodrop
| parse field=_raw "SubjectDomainName=*" as SubjectDomainName nodrop
| parse field=_raw "LogonType=*" as LogonType nodrop
| parse field=_raw "IpAddress=*" as SourceIP nodrop
| parse field=_raw "ComputerName=*" as DestHost nodrop

// Normalize account fields
| eval AccountName = if (!isNull(TargetUserName) && TargetUserName != "", TargetUserName, SubjectUserName)
| eval AccountDomain = if (!isNull(TargetDomainName) && TargetDomainName != "", TargetDomainName, SubjectDomainName)

// Filter: valid domain accounts only, exclude machine accounts and system domains
| where AccountDomain != "" && AccountDomain != "NT AUTHORITY" && AccountDomain != "Window Manager" && AccountDomain != "Font Driver Host"
| where !matches(AccountName, "*$")
| where EventCode in ("4624", "4625", "4648", "4672", "4697", "4698")

// Classify events
| eval IsSuccess = if(EventCode == "4624", 1, 0)
| eval IsFailure = if(EventCode == "4625", 1, 0)
| eval IsNetworkLogon = if(EventCode == "4624" && LogonType == "3", 1, 0)
| eval IsRemoteInteractive = if(EventCode == "4624" && LogonType == "10", 1, 0)
| eval IsExplicitCred = if(EventCode == "4648", 1, 0)
| eval IsPersistence = if(EventCode == "4697" || EventCode == "4698", 1, 0)
| eval Hour = formatDate(_messageTime, "HH") | eval Hour = toInt(Hour)
| eval IsOffHours = if(Hour < 7 || Hour > 19, 1, 0)

// Aggregate per account over lookback window
| timeslice 24h
| stats
    sum(IsSuccess) as SuccessLogons,
    sum(IsFailure) as FailedLogons,
    sum(IsNetworkLogon) as NetworkLogons,
    sum(IsRemoteInteractive) as RemoteInteractiveLogons,
    sum(IsExplicitCred) as ExplicitCredUse,
    sum(IsPersistence) as PersistenceEvents,
    sum(IsOffHours) as OffHoursEvents,
    dcount(DestHost) as UniqueDestinations,
    values(DestHost) as DestinationHosts,
    values(SourceIP) as SourceIPs
  by AccountName, AccountDomain, _timeslice

// Risk scoring (mirrors SPL logic)
| eval RiskScore = SuccessLogons
    + (FailedLogons * 0.5)
    + (NetworkLogons * 2)
    + (RemoteInteractiveLogons * 2)
    + (OffHoursEvents * 3)
    + (ExplicitCredUse * 4)
    + (PersistenceEvents * 5)
    + if(UniqueDestinations >= 3, UniqueDestinations * 2, 0)
    + if(FailedLogons >= 5 && SuccessLogons >= 1, 20, 0)

// Indicator flags
| eval BruteForceIndicator = if(FailedLogons >= 5 && SuccessLogons >= 1, "YES", "NO")
| eval LateralMovementIndicator = if(UniqueDestinations >= 3 && NetworkLogons >= 3, "YES", "NO")
| eval PersistenceIndicator = if(PersistenceEvents >= 1, "YES", "NO")

// Severity classification
| eval Severity = if(RiskScore >= 50, "Critical",
    if(RiskScore >= 25, "High",
    if(RiskScore >= 10, "Medium", "Low")))

// Filter actionable results
| where RiskScore >= 10
| fields _timeslice, AccountName, AccountDomain, RiskScore, Severity,
    BruteForceIndicator, LateralMovementIndicator, PersistenceIndicator,
    SuccessLogons, FailedLogons, NetworkLogons, UniqueDestinations,
    DestinationHosts, SourceIPs, ExplicitCredUse, OffHoursEvents, PersistenceEvents
| sort by RiskScore desc

high severity high confidence

Data Sources

Sumo Logic — Windows Security Event Log (_sourceCategory=*wineventlog* or *security*) Sumo Logic Cloud SIEM Enterprise (CSE) normalized Windows signals Sumo Logic Installed Collector with Windows Event Log source

Required Tables

_sourceCategory=*windows*security* _sourceCategory=*wineventlog*

False Positives

DevOps CI/CD pipelines using a shared domain service account to deploy to multiple servers simultaneously, generating high UniqueDestinations counts and network logon activity that exceeds the lateral movement threshold.
Security scanners or vulnerability assessment tools authenticating as a domain account across the estate during off-hours scans, producing both off-hours logon and multi-host signals.
Password reset workflows that generate multiple 4625 events (wrong password entered during reset) immediately followed by a 4624 on the final correct attempt, matching the brute-force success pattern.

Google Chronicle / SecOps

yaral

rule t1078_002_domain_account_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1078.002 Domain Account Abuse: brute-force success, lateral movement to 3+ hosts, off-hours sensitive logon, and persistence via service/scheduled task creation by a domain account."
    technique = "T1078.002"
    tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    severity = "HIGH"
    confidence = "HIGH"
    platforms = "Windows"
    version = "1.0"
    created = "2026-04-13"

  events:
    // Anchor: successful domain account logon (network or remote interactive)
    $logon.metadata.event_type = "USER_LOGIN"
    $logon.metadata.vendor_name = "Microsoft"
    $logon.outcome.success = true
    $logon.principal.user.userid != ""
    $logon.target.user.email_addresses != ""
    // Exclude machine accounts (end with $)
    not re.regex($logon.principal.user.userid, `.*\$$`)
    // Exclude system-level domains
    $logon.principal.user.windows_sid != ""
    $logon.network.ip_protocol = "TCP"
    // Capture user and destination for correlation
    $user = $logon.principal.user.userid
    $domain = $logon.principal.administrative_domain
    $domain != "NT AUTHORITY"
    $domain != ""
    $dest1 = $logon.target.hostname

    // Second logon to a DIFFERENT destination — same user within window
    $logon2.metadata.event_type = "USER_LOGIN"
    $logon2.outcome.success = true
    $logon2.principal.user.userid = $user
    $logon2.principal.administrative_domain = $domain
    $dest2 = $logon2.target.hostname
    $dest2 != $dest1

    // Third logon to yet another DIFFERENT destination
    $logon3.metadata.event_type = "USER_LOGIN"
    $logon3.outcome.success = true
    $logon3.principal.user.userid = $user
    $logon3.principal.administrative_domain = $domain
    $dest3 = $logon3.target.hostname
    $dest3 != $dest1
    $dest3 != $dest2

    // At least 5 preceding authentication failures for same user (brute-force signal)
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.outcome.success = false
    $fail.principal.user.userid = $user
    $fail.principal.administrative_domain = $domain

  match:
    $user, $domain over 24h

  outcome:
    $risk_score = max(
      // Lateral movement: 3+ unique destinations
      if($dest1 != "" and $dest2 != "" and $dest3 != "", 40, 0) +
      // Brute force success
      if(count_distinct($fail.metadata.id) >= 5, 20, 0)
    )
    $signal_type = array_distinct("LateralMovement", "BruteForceSuccess")
    $destination_1 = $dest1
    $destination_2 = $dest2
    $destination_3 = $dest3
    $account_domain = $domain

  condition:
    // All three lateral movement logon events must fire
    $logon and $logon2 and $logon3 and
    // At least 5 failure events for brute-force signal
    #fail >= 5
}

// --- Companion rule: Off-Hours Sensitive Domain Account Logon ---
rule t1078_002_offhours_domain_logon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects domain account network logon outside business hours (before 07:00 or after 19:00 UTC)."
    technique = "T1078.002"
    severity = "CRITICAL"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.vendor_name = "Microsoft"
    $e.outcome.success = true
    $e.principal.user.userid != ""
    not re.regex($e.principal.user.userid, `.*\$$`)
    $e.principal.administrative_domain != "NT AUTHORITY"
    $e.principal.administrative_domain != ""
    // Network logon type 3 via additional.fields
    $e.additional.fields["LogonType"] = "3"
    // Off-hours: hour < 7 or hour > 19 (UTC)
    (timestamp.get_hour($e.metadata.event_timestamp, "UTC") < 7 or
     timestamp.get_hour($e.metadata.event_timestamp, "UTC") > 19)

  match:
    $e.principal.user.userid over 1h

  outcome:
    $account_name = $e.principal.user.userid
    $account_domain = $e.principal.administrative_domain
    $source_ip = $e.principal.ip
    $destination = $e.target.hostname
    $hour_utc = timestamp.get_hour($e.metadata.event_timestamp, "UTC")

  condition:
    $e
}

// --- Companion rule: Persistence via Domain Account (Service/Task Creation) ---
rule t1078_002_persistence_domain_account {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects domain account creating a Windows service (4697) or scheduled task (4698) as a persistence mechanism."
    technique = "T1078.002"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "SERVICE_INSTALLATION"
    $e.metadata.vendor_name = "Microsoft"
    not re.regex($e.principal.user.userid, `.*\$$`)
    $e.principal.administrative_domain != "NT AUTHORITY"
    $e.principal.administrative_domain != ""
    $e.principal.administrative_domain != "SYSTEM"
    $e.principal.user.userid != ""

  match:
    $e.principal.user.userid over 24h

  outcome:
    $account_name = $e.principal.user.userid
    $account_domain = $e.principal.administrative_domain
    $target_host = $e.target.hostname
    $service_or_task = $e.target.resource.name

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle — Windows Event Logs ingested via Chronicle Forwarder or Google Cloud Logging Chronicle UDM USER_LOGIN events normalized from Windows Security Event Log Chronicle SERVICE_INSTALLATION events from EventID 4697/4698

Required Tables

UDM USER_LOGIN events UDM SERVICE_INSTALLATION events UDM USER_UNCATEGORIZED events (for auth failures)

False Positives

Automated server provisioning tools that authenticate a domain build account to 5-10 fresh VMs in sequence during infrastructure scaling events, satisfying the lateral movement correlation.
IT operations teams running PowerShell Desired State Configuration (DSC) pull server refreshes overnight, creating scheduled tasks under domain service accounts during off-hours windows.
Integration testing pipelines in staging environments that replay credential-based authentication sequences — including intentional failure-then-success flows — as part of authentication regression tests.

CrowdStrike LogScale (CQL)

cql

// T1078.002 — Domain Account Abuse | CrowdStrike LogScale (CQL)
// Signal 1: Brute-Force Success — 5+ UserLogonFailed2 followed by UserLogon2 within 1h

// --- Brute-Force + Lateral Movement Detection ---
#event_simpleName = UserLogon2 OR #event_simpleName = UserLogonFailed2
| UserName != ""
| UserDomain != ""
| UserDomain != "NT AUTHORITY"
| UserDomain != "WINDOW MANAGER"
| not(UserName = /\$$/)  // Exclude machine accounts
// Classify event type
| EventType := if(#event_simpleName == "UserLogon2", "success", "failure")
| LogonType := if(#event_simpleName == "UserLogon2", string(LogonType), "N/A")
// Aggregate per user+domain in 1-hour buckets
| bucket(field=[UserName, UserDomain], span=1h)
    count(EventType == "success") as SuccessLogons
    count(EventType == "failure") as FailedLogons
    count(LogonType == "3") as NetworkLogons
    count(LogonType == "10") as RemoteInteractiveLogons
    dcount(ComputerName) as UniqueDestinations
    collect(ComputerName) as DestinationHosts
    collect(RemoteAddressIP4) as SourceIPs
| BruteForceSuccess := FailedLogons >= 5 AND SuccessLogons >= 1
| LateralMovement := UniqueDestinations >= 3 AND NetworkLogons >= 3
// Only surface meaningful signals
| BruteForceSuccess == true OR LateralMovement == true
| BruteForceIndicator := if(BruteForceSuccess, "YES", "NO")
| LateralMovementIndicator := if(LateralMovement, "YES", "NO")
// Risk scoring
| RiskScore := SuccessLogons
    + (FailedLogons * 0.5)
    + (NetworkLogons * 2)
    + (RemoteInteractiveLogons * 2)
    + (if(UniqueDestinations >= 3, UniqueDestinations * 2, 0))
    + (if(BruteForceSuccess, 20, 0))
| Severity := if(RiskScore >= 50, "Critical",
    if(RiskScore >= 25, "High",
    if(RiskScore >= 10, "Medium", "Low")))
| select([_bucket, UserName, UserDomain, Severity, RiskScore,
    BruteForceIndicator, LateralMovementIndicator,
    SuccessLogons, FailedLogons, NetworkLogons,
    UniqueDestinations, DestinationHosts, SourceIPs])
| sort(RiskScore, order=desc)

// --- Off-Hours Sensitive Domain Account Logon (run separately) ---
// #event_simpleName = UserLogon2
// | LogonType = 3
// | UserDomain != "NT AUTHORITY" AND UserDomain != ""
// | not(UserName = /\$$/ )
// | HourUTC := formatTime("%H", @timestamp, timezone="UTC") | HourUTC := toInt(HourUTC)
// | HourUTC < 7 OR HourUTC > 19
// | table([_time, UserName, UserDomain, ComputerName, RemoteAddressIP4, LogonType, HourUTC])

// --- Persistence: Service or Scheduled Task Creation by Domain Account (run separately) ---
// #event_simpleName = ServiceInstalled OR #event_simpleName = ScheduledTaskRegistered
// | UserDomain != "NT AUTHORITY" AND UserDomain != "" AND UserDomain != "SYSTEM"
// | not(UserName = /\$$/ )
// | UserName != ""
// | table([_time, UserName, UserDomain, ComputerName, ServiceName, TaskName, CommandLine])

high severity high confidence

Data Sources

CrowdStrike Falcon — EDR telemetry (UserLogon2, UserLogonFailed2, ServiceInstalled, ScheduledTaskRegistered) CrowdStrike Falcon LogScale / Humio repository Falcon Event Stream (via Streaming API or direct LogScale ingestion)

Required Tables

UserLogon2 (Falcon event stream) UserLogonFailed2 (Falcon event stream) ServiceInstalled (Falcon event stream) ScheduledTaskRegistered (Falcon event stream)

False Positives

Falcon sensor deployment or policy update jobs that authenticate a domain account to many endpoints simultaneously in a short window, triggering the lateral movement bucket threshold across multiple ComputerName values.
Enterprise vulnerability scanners (Tenable, Qualys) configured to use domain credential authentication for authenticated scanning across subnets, generating high network logon counts and multi-host activity.
Kerberos pre-authentication failures from misconfigured applications or expired service principal name (SPN) configurations producing sustained 4625-equivalent events before eventual successful NTLM fallback authentication.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections