Detect Domain Accounts in IBM QRadar
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
QRadar Detection Query
-- Signal 1: Brute-Force Success (5+ failures then success within 1h)
SELECT
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
username AS AccountName,
domain AS AccountDomain,
sourceip AS SourceIP,
destinationip AS DestinationHost,
SUM(CASE WHEN qideventid = 4625 THEN 1 ELSE 0 END) AS FailedLogons,
SUM(CASE WHEN qideventid = 4624 THEN 1 ELSE 0 END) AS SuccessLogons,
'BruteForceSuccess' AS SignalType,
'High' AS Severity
FROM events
WHERE
LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
AND qideventid IN (4624, 4625)
AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager', 'Font Driver Host')
AND username NOT LIKE '%$'
AND starttime > (NOW() - 86400000)
GROUP BY username, domain, sourceip, destinationip
HAVING
SUM(CASE WHEN qideventid = 4625 THEN 1 ELSE 0 END) >= 5
AND SUM(CASE WHEN qideventid = 4624 THEN 1 ELSE 0 END) >= 1
UNION ALL
-- Signal 2: Lateral Movement (3+ unique destinations, network logon type 3 or 10)
SELECT
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
username AS AccountName,
domain AS AccountDomain,
sourceip AS SourceIP,
'Multiple-Hosts' AS DestinationHost,
COUNT(*) AS FailedLogons,
COUNT(DISTINCT destinationip) AS SuccessLogons,
'LateralMovement' AS SignalType,
'High' AS Severity
FROM events
WHERE
LOGSOURCETYPEID = 12
AND qideventid = 4624
AND LONG("LogonType") IN (3, 10)
AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager')
AND username NOT LIKE '%$'
AND starttime > (NOW() - 86400000)
GROUP BY username, domain, sourceip
HAVING COUNT(DISTINCT destinationip) >= 3
UNION ALL
-- Signal 3: Off-Hours Domain Account Logon
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
username AS AccountName,
domain AS AccountDomain,
sourceip AS SourceIP,
destinationip AS DestinationHost,
0 AS FailedLogons,
1 AS SuccessLogons,
'OffHoursSensitiveLogon' AS SignalType,
'Critical' AS Severity
FROM events
WHERE
LOGSOURCETYPEID = 12
AND qideventid = 4624
AND LONG("LogonType") = 3
AND domain NOT IN ('NT AUTHORITY', '', 'Window Manager')
AND username NOT LIKE '%$'
AND (EXTRACT(HOUR FROM starttime) < 7 OR EXTRACT(HOUR FROM starttime) > 19)
AND starttime > (NOW() - 86400000)
UNION ALL
-- Signal 4: Persistence via Service or Scheduled Task
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
username AS AccountName,
domain AS AccountDomain,
sourceip AS SourceIP,
destinationip AS DestinationHost,
0 AS FailedLogons,
0 AS SuccessLogons,
'PersistenceInstallation' AS SignalType,
'High' AS Severity
FROM events
WHERE
LOGSOURCETYPEID = 12
AND qideventid IN (4697, 4698)
AND domain NOT IN ('NT AUTHORITY', '', 'SYSTEM')
AND username NOT LIKE '%$'
AND starttime > (NOW() - 86400000)
ORDER BY FirstSeen DESCDetects T1078.002 Domain Account Abuse in IBM QRadar using AQL queries against the Windows Security Event Log source type (LOGSOURCETYPEID 12). Covers four signals unified via UNION ALL: brute-force success, lateral movement to 3+ unique destinations, off-hours (before 07:00 or after 19:00) network logons, and domain account persistence via service/scheduled task creation. Machine accounts (ending in $) and system domains are excluded throughout.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup agents using domain service accounts to authenticate across dozens of servers nightly, triggering the lateral movement threshold with legitimate network logon (type 3) activity.
- Helpdesk staff performing remote interactive (type 10) logons to multiple user workstations during a single shift for troubleshooting, crossing the 3-destination threshold within the lookback window.
- Scheduled PowerShell remoting jobs that invoke credentials explicitly (4648) against multiple hosts in off-hours maintenance windows, scoring high on the risk model without adversarial intent.
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.