Detect Domain Accounts in Microsoft Sentinel
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
KQL Detection Query
// T1078.002 — Domain Account Abuse Detection
// Detects suspicious use of domain accounts across multiple high-fidelity signals
let LookbackWindow = 24h;
let SuspiciousLogonTypes = dynamic([3, 10]); // Network and RemoteInteractive
let SensitiveGroups = dynamic(["Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators"]);
let BruteForceThreshold = 5;
// Signal 1: Successful logon after multiple failures (potential credential stuffing)
let BruteForceSuccess =
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (4624, 4625)
| where AccountType == "User" and TargetDomainName != "" and TargetDomainName != "NT AUTHORITY"
| summarize
FailureCount = countif(EventID == 4625),
SuccessCount = countif(EventID == 4624),
SuccessTime = maxif(TimeGenerated, EventID == 4624),
FailureTime = minif(TimeGenerated, EventID == 4625),
LogonTypes = make_set(LogonType),
SourceIPs = make_set(IpAddress)
by TargetUserName, TargetDomainName, Computer
| where FailureCount >= BruteForceThreshold and SuccessCount >= 1
| extend SignalType = "BruteForceSuccess", Severity = "High"
| project TargetUserName, TargetDomainName, Computer, SignalType, Severity, FailureCount, SuccessCount, SourceIPs, LogonTypes;
// Signal 2: Domain account logon from unusual/new workstation (lateral movement indicator)
let LateralMovement =
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType in (SuspiciousLogonTypes)
| where AccountType == "User"
| where TargetDomainName != "" and TargetDomainName != "NT AUTHORITY" and TargetDomainName != "Window Manager"
| where not(TargetUserName endswith "$") // Exclude machine accounts
| summarize
UniqueWorkstations = dcount(Computer),
Workstations = make_set(Computer),
SourceIPs = make_set(IpAddress),
LogonCount = count()
by TargetUserName, TargetDomainName, bin(TimeGenerated, 1h)
| where UniqueWorkstations >= 3
| extend SignalType = "LateralMovement", Severity = "High"
| project TargetUserName, TargetDomainName, SignalType, Severity, UniqueWorkstations, Workstations, SourceIPs, LogonCount;
// Signal 3: Sensitive group member account used in off-hours network logon
let SensitiveAccountLogon =
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType == 3
| where AccountType == "User"
| where TargetDomainName != "" and TargetDomainName != "NT AUTHORITY"
| where not(TargetUserName endswith "$")
| extend HourOfDay = datetime_part("Hour", TimeGenerated)
| where HourOfDay !between (7 .. 19) // Off-hours: before 7am or after 7pm
| join kind=inner (
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4728 or EventID == 4732 // Member added to security-enabled group
| extend SensitiveGroupMember = TargetUserName
) on $left.TargetUserName == $right.SensitiveGroupMember
| project TimeGenerated, TargetUserName, TargetDomainName, Computer, IpAddress, LogonType
| extend SignalType = "SensitiveAccountOffHoursLogon", Severity = "Critical";
// Signal 4: Domain account used to create new service or scheduled task (persistence)
let PersistenceViaAccount =
SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (4697, 4698) // Service installed, Scheduled task created
| where SubjectDomainName != "" and SubjectDomainName != "NT AUTHORITY" and SubjectDomainName != "SYSTEM"
| where not(SubjectUserName endswith "$")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, EventID,
TaskName = iff(EventID == 4698, TaskName, ServiceName),
SignalType = "PersistenceInstallation", Severity = "High";
// Combine all signals
BruteForceSuccess
| extend TimeGenerated = now()
| union (
LateralMovement
| extend TimeGenerated = now(), Computer = tostring(Workstations[0])
)
| union (
SensitiveAccountLogon
| project TargetUserName, TargetDomainName, Computer, SignalType, Severity, TimeGenerated
| extend FailureCount = int(null), SuccessCount = int(null), SourceIPs = dynamic(null), LogonTypes = dynamic(null)
)
| union (
PersistenceViaAccount
| project TargetUserName = SubjectUserName, TargetDomainName = SubjectDomainName, Computer, SignalType, Severity, TimeGenerated
| extend FailureCount = int(null), SuccessCount = int(null), SourceIPs = dynamic(null), LogonTypes = dynamic(null)
)
| project TimeGenerated, TargetUserName, TargetDomainName, Computer, SignalType, Severity
| sort by TimeGenerated descDetects abuse of domain accounts using multiple signals from Windows Security Event logs in Microsoft Sentinel. Four detection patterns are combined: (1) Brute-force followed by successful authentication suggesting credential stuffing or password spray success; (2) A single domain account authenticating to 3+ unique workstations within one hour indicating lateral movement; (3) Sensitive group member accounts logging on over the network during off-hours; (4) Domain accounts creating new services or scheduled tasks indicating persistence installation. Results are unioned and enriched with signal type and severity for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT administrators performing authorized after-hours maintenance, patching, or incident response across multiple systems
- Service accounts that traverse many workstations as part of normal operations (e.g., backup agents, antivirus, patch management)
- Automated software deployment systems (SCCM, Intune, Ansible) that authenticate to many systems in rapid succession
- Password policy enforcement causing legitimate users to fail multiple times before successfully entering a new password
- Helpdesk staff using domain admin credentials to perform authorized remote support across multiple machines
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.