Detect Domain Accounts in Google Chronicle
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
YARA-L Detection Query
rule t1078_002_domain_account_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects T1078.002 Domain Account Abuse: brute-force success, lateral movement to 3+ hosts, off-hours sensitive logon, and persistence via service/scheduled task creation by a domain account."
technique = "T1078.002"
tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
severity = "HIGH"
confidence = "HIGH"
platforms = "Windows"
version = "1.0"
created = "2026-04-13"
events:
// Anchor: successful domain account logon (network or remote interactive)
$logon.metadata.event_type = "USER_LOGIN"
$logon.metadata.vendor_name = "Microsoft"
$logon.outcome.success = true
$logon.principal.user.userid != ""
$logon.target.user.email_addresses != ""
// Exclude machine accounts (end with $)
not re.regex($logon.principal.user.userid, `.*\$$`)
// Exclude system-level domains
$logon.principal.user.windows_sid != ""
$logon.network.ip_protocol = "TCP"
// Capture user and destination for correlation
$user = $logon.principal.user.userid
$domain = $logon.principal.administrative_domain
$domain != "NT AUTHORITY"
$domain != ""
$dest1 = $logon.target.hostname
// Second logon to a DIFFERENT destination — same user within window
$logon2.metadata.event_type = "USER_LOGIN"
$logon2.outcome.success = true
$logon2.principal.user.userid = $user
$logon2.principal.administrative_domain = $domain
$dest2 = $logon2.target.hostname
$dest2 != $dest1
// Third logon to yet another DIFFERENT destination
$logon3.metadata.event_type = "USER_LOGIN"
$logon3.outcome.success = true
$logon3.principal.user.userid = $user
$logon3.principal.administrative_domain = $domain
$dest3 = $logon3.target.hostname
$dest3 != $dest1
$dest3 != $dest2
// At least 5 preceding authentication failures for same user (brute-force signal)
$fail.metadata.event_type = "USER_LOGIN"
$fail.outcome.success = false
$fail.principal.user.userid = $user
$fail.principal.administrative_domain = $domain
match:
$user, $domain over 24h
outcome:
$risk_score = max(
// Lateral movement: 3+ unique destinations
if($dest1 != "" and $dest2 != "" and $dest3 != "", 40, 0) +
// Brute force success
if(count_distinct($fail.metadata.id) >= 5, 20, 0)
)
$signal_type = array_distinct("LateralMovement", "BruteForceSuccess")
$destination_1 = $dest1
$destination_2 = $dest2
$destination_3 = $dest3
$account_domain = $domain
condition:
// All three lateral movement logon events must fire
$logon and $logon2 and $logon3 and
// At least 5 failure events for brute-force signal
#fail >= 5
}
// --- Companion rule: Off-Hours Sensitive Domain Account Logon ---
rule t1078_002_offhours_domain_logon {
meta:
author = "Argus Detection Engineering"
description = "Detects domain account network logon outside business hours (before 07:00 or after 19:00 UTC)."
technique = "T1078.002"
severity = "CRITICAL"
confidence = "MEDIUM"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.metadata.vendor_name = "Microsoft"
$e.outcome.success = true
$e.principal.user.userid != ""
not re.regex($e.principal.user.userid, `.*\$$`)
$e.principal.administrative_domain != "NT AUTHORITY"
$e.principal.administrative_domain != ""
// Network logon type 3 via additional.fields
$e.additional.fields["LogonType"] = "3"
// Off-hours: hour < 7 or hour > 19 (UTC)
(timestamp.get_hour($e.metadata.event_timestamp, "UTC") < 7 or
timestamp.get_hour($e.metadata.event_timestamp, "UTC") > 19)
match:
$e.principal.user.userid over 1h
outcome:
$account_name = $e.principal.user.userid
$account_domain = $e.principal.administrative_domain
$source_ip = $e.principal.ip
$destination = $e.target.hostname
$hour_utc = timestamp.get_hour($e.metadata.event_timestamp, "UTC")
condition:
$e
}
// --- Companion rule: Persistence via Domain Account (Service/Task Creation) ---
rule t1078_002_persistence_domain_account {
meta:
author = "Argus Detection Engineering"
description = "Detects domain account creating a Windows service (4697) or scheduled task (4698) as a persistence mechanism."
technique = "T1078.002"
severity = "HIGH"
confidence = "HIGH"
events:
$e.metadata.event_type = "SERVICE_INSTALLATION"
$e.metadata.vendor_name = "Microsoft"
not re.regex($e.principal.user.userid, `.*\$$`)
$e.principal.administrative_domain != "NT AUTHORITY"
$e.principal.administrative_domain != ""
$e.principal.administrative_domain != "SYSTEM"
$e.principal.user.userid != ""
match:
$e.principal.user.userid over 24h
outcome:
$account_name = $e.principal.user.userid
$account_domain = $e.principal.administrative_domain
$target_host = $e.target.hostname
$service_or_task = $e.target.resource.name
condition:
$e
}Three companion YARA-L 2.0 rules for Google Chronicle detecting T1078.002 Domain Account Abuse. Rule 1 (t1078_002_domain_account_abuse) correlates brute-force success (5+ failures) with lateral movement to 3+ unique destinations within 24h for the same domain account. Rule 2 (t1078_002_offhours_domain_logon) fires on network logon (type 3) by a domain account outside 07:00–19:00 UTC. Rule 3 (t1078_002_persistence_domain_account) triggers on service installation or scheduled task creation events attributed to a domain account. Machine accounts (trailing $) and NT AUTHORITY are excluded throughout.
Data Sources
Required Tables
False Positives & Tuning
- Automated server provisioning tools that authenticate a domain build account to 5-10 fresh VMs in sequence during infrastructure scaling events, satisfying the lateral movement correlation.
- IT operations teams running PowerShell Desired State Configuration (DSC) pull server refreshes overnight, creating scheduled tasks under domain service accounts during off-hours windows.
- Integration testing pipelines in staging environments that replay credential-based authentication sequences — including intentional failure-then-success flows — as part of authentication regression tests.
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.