Detect Domain Accounts in CrowdStrike LogScale
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
LogScale Detection Query
// T1078.002 — Domain Account Abuse | CrowdStrike LogScale (CQL)
// Signal 1: Brute-Force Success — 5+ UserLogonFailed2 followed by UserLogon2 within 1h
// --- Brute-Force + Lateral Movement Detection ---
#event_simpleName = UserLogon2 OR #event_simpleName = UserLogonFailed2
| UserName != ""
| UserDomain != ""
| UserDomain != "NT AUTHORITY"
| UserDomain != "WINDOW MANAGER"
| not(UserName = /\$$/) // Exclude machine accounts
// Classify event type
| EventType := if(#event_simpleName == "UserLogon2", "success", "failure")
| LogonType := if(#event_simpleName == "UserLogon2", string(LogonType), "N/A")
// Aggregate per user+domain in 1-hour buckets
| bucket(field=[UserName, UserDomain], span=1h)
count(EventType == "success") as SuccessLogons
count(EventType == "failure") as FailedLogons
count(LogonType == "3") as NetworkLogons
count(LogonType == "10") as RemoteInteractiveLogons
dcount(ComputerName) as UniqueDestinations
collect(ComputerName) as DestinationHosts
collect(RemoteAddressIP4) as SourceIPs
| BruteForceSuccess := FailedLogons >= 5 AND SuccessLogons >= 1
| LateralMovement := UniqueDestinations >= 3 AND NetworkLogons >= 3
// Only surface meaningful signals
| BruteForceSuccess == true OR LateralMovement == true
| BruteForceIndicator := if(BruteForceSuccess, "YES", "NO")
| LateralMovementIndicator := if(LateralMovement, "YES", "NO")
// Risk scoring
| RiskScore := SuccessLogons
+ (FailedLogons * 0.5)
+ (NetworkLogons * 2)
+ (RemoteInteractiveLogons * 2)
+ (if(UniqueDestinations >= 3, UniqueDestinations * 2, 0))
+ (if(BruteForceSuccess, 20, 0))
| Severity := if(RiskScore >= 50, "Critical",
if(RiskScore >= 25, "High",
if(RiskScore >= 10, "Medium", "Low")))
| select([_bucket, UserName, UserDomain, Severity, RiskScore,
BruteForceIndicator, LateralMovementIndicator,
SuccessLogons, FailedLogons, NetworkLogons,
UniqueDestinations, DestinationHosts, SourceIPs])
| sort(RiskScore, order=desc)
// --- Off-Hours Sensitive Domain Account Logon (run separately) ---
// #event_simpleName = UserLogon2
// | LogonType = 3
// | UserDomain != "NT AUTHORITY" AND UserDomain != ""
// | not(UserName = /\$$/ )
// | HourUTC := formatTime("%H", @timestamp, timezone="UTC") | HourUTC := toInt(HourUTC)
// | HourUTC < 7 OR HourUTC > 19
// | table([_time, UserName, UserDomain, ComputerName, RemoteAddressIP4, LogonType, HourUTC])
// --- Persistence: Service or Scheduled Task Creation by Domain Account (run separately) ---
// #event_simpleName = ServiceInstalled OR #event_simpleName = ScheduledTaskRegistered
// | UserDomain != "NT AUTHORITY" AND UserDomain != "" AND UserDomain != "SYSTEM"
// | not(UserName = /\$$/ )
// | UserName != ""
// | table([_time, UserName, UserDomain, ComputerName, ServiceName, TaskName, CommandLine])Detects T1078.002 Domain Account Abuse in CrowdStrike Falcon LogScale (CQL) using Falcon telemetry event types. The primary query aggregates UserLogon2 and UserLogonFailed2 events per domain account in 1-hour buckets, computing brute-force success (5+ failures + 1 success) and lateral movement (3+ unique destination hosts via network or remote-interactive logon) signals with risk scoring. Companion queries (commented) cover off-hours network logons and persistence via service/scheduled task installation. Machine accounts (trailing $) and NT AUTHORITY are excluded. Uses native Falcon fields: UserName, UserDomain, LogonType, ComputerName, RemoteAddressIP4.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor deployment or policy update jobs that authenticate a domain account to many endpoints simultaneously in a short window, triggering the lateral movement bucket threshold across multiple ComputerName values.
- Enterprise vulnerability scanners (Tenable, Qualys) configured to use domain credential authentication for authenticated scanning across subnets, generating high network logon counts and multi-host activity.
- Kerberos pre-authentication failures from misconfigured applications or expired service principal name (SPN) configurations producing sustained 4625-equivalent events before eventual successful NTLM fallback authentication.
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.