Detect Domain Accounts in Elastic Security
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
Elastic Detection Query
sequence by user.name, user.domain with maxspan=1h
[authentication where event.category == "authentication" and event.outcome == "failure"
and user.domain != "NT AUTHORITY" and user.domain != ""
and not wildcard(user.name, "*$")]
with runs=5
[authentication where event.category == "authentication" and event.outcome == "success"
and user.domain != "NT AUTHORITY" and user.domain != ""
and not wildcard(user.name, "*$")]
// Lateral Movement: same account authenticating to 3+ unique hosts
// Run as separate query:
// sequence by user.name with maxspan=1h
// [authentication where event.outcome == "success" and network.type == "ipv4"
// and winlog.event_data.LogonType in ("3", "10")
// and user.domain != "NT AUTHORITY" and not wildcard(user.name, "*$")] with runs=3
// Persistence: domain account creating service or scheduled task
// sequence by user.name with maxspan=24h
// [authentication where event.outcome == "success"]
// [any where event.code in ("4697", "4698") and user.domain != "NT AUTHORITY"]Detects T1078.002 Domain Account Abuse via four signals: (1) brute-force success — 5+ failures followed by successful authentication within 1 hour; (2) lateral movement — same domain account authenticating to 3+ unique hosts via network/remote-interactive logon; (3) sensitive account off-hours network logon before 07:00 or after 19:00; (4) domain account creating a service or scheduled task (persistence). Uses ECS authentication and winlog fields against Windows Security Event logs ingested via Elastic Agent or Winlogbeat.
Data Sources
Required Tables
False Positives & Tuning
- Automated service account health checks that use network logon (type 3) across multiple hosts during off-hours maintenance windows, generating high failure counts before a successful connection.
- Legitimate IT administrators performing after-hours patch deployment or domain-wide GPO pushes, causing burst logon activity across many workstations that triggers the lateral movement threshold.
- Password expiry enforcement tools that attempt legacy NTLM authentication multiple times before falling back to Kerberos, creating a pattern of failures followed by success that mimics credential stuffing.
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.