T1078.002 Splunk · SPL

Detect Domain Accounts in Splunk

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Privilege Escalation Initial Access
Technique
T1078 Valid Accounts
Sub-technique
T1078.002 Domain Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/002/

SPL Detection Query

Splunk (SPL)
spl 
| tstats summariesonly=false count as TotalEvents,
    count(eval(EventCode=4624)) as SuccessCount,
    count(eval(EventCode=4625)) as FailureCount
    from datamodel=Authentication
    where nodename=Authentication.Failed_Authentication OR nodename=Authentication.Successful_Authentication
    by Authentication.user, Authentication.src, Authentication.dest, _time span=1h
| fields - _timediff

```
Use the raw search below for full fidelity:
```

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4672 OR EventCode=4697 OR EventCode=4698)
| eval LogonType=if(EventCode=4624 OR EventCode=4625, LogonType, "N/A")
| eval AccountDomain=coalesce(TargetDomainName, SubjectDomainName)
| eval AccountName=coalesce(TargetUserName, SubjectUserName)
| where AccountDomain!="" AND AccountDomain!="NT AUTHORITY" AND AccountDomain!="Window Manager" AND AccountDomain!="Font Driver Host"
| where NOT match(AccountName, "\$$")  `comment("Exclude machine accounts")`
| eval EventType=case(
    EventCode=4624, "SuccessfulLogon",
    EventCode=4625, "FailedLogon",
    EventCode=4648, "ExplicitCredentialUse",
    EventCode=4672, "SpecialPrivilegeLogon",
    EventCode=4697, "ServiceInstalled",
    EventCode=4698, "ScheduledTaskCreated",
    true(), "Other"
  )
| eval IsNetworkLogon=if(EventCode=4624 AND LogonType=3, 1, 0)
| eval IsRemoteInteractive=if(EventCode=4624 AND LogonType=10, 1, 0)
| eval IsOffHours=if(tonumber(strftime(_time, "%H")) < 7 OR tonumber(strftime(_time, "%H")) > 19, 1, 0)
| eval IsExplicitCred=if(EventCode=4648, 1, 0)
| eval IsPersistence=if(EventCode=4697 OR EventCode=4698, 1, 0)
| eval SignalScore=IsNetworkLogon + IsRemoteInteractive + IsOffHours + IsExplicitCred + IsPersistence
| stats
    count as TotalEvents,
    sum(eval(EventCode=4624)) as SuccessLogons,
    sum(eval(EventCode=4625)) as FailedLogons,
    sum(IsNetworkLogon) as NetworkLogons,
    sum(IsRemoteInteractive) as RemoteInteractiveLogons,
    sum(IsOffHours) as OffHoursEvents,
    sum(IsExplicitCred) as ExplicitCredentialUse,
    sum(IsPersistence) as PersistenceEvents,
    dc(ComputerName) as UniqueDestinations,
    values(ComputerName) as Destinations,
    values(IpAddress) as SourceIPs,
    values(EventType) as ObservedEventTypes,
    max(SignalScore) as MaxSignalScore
  by AccountName, AccountDomain
| eval RiskScore=SuccessLogons + (FailedLogons * 0.5) + (NetworkLogons * 2) + (RemoteInteractiveLogons * 2) + (OffHoursEvents * 3) + (ExplicitCredentialUse * 4) + (PersistenceEvents * 5) + (if(UniqueDestinations >= 3, UniqueDestinations * 2, 0)) + (if(FailedLogons >= 5 AND SuccessLogons >= 1, 20, 0))
| eval Severity=case(
    RiskScore >= 50, "Critical",
    RiskScore >= 25, "High",
    RiskScore >= 10, "Medium",
    true(), "Low"
  )
| where RiskScore >= 10
| eval BruteForceIndicator=if(FailedLogons >= 5 AND SuccessLogons >= 1, "YES", "NO")
| eval LateralMovementIndicator=if(UniqueDestinations >= 3 AND NetworkLogons >= 3, "YES", "NO")
| eval PersistenceIndicator=if(PersistenceEvents >= 1, "YES", "NO")
| table _time, AccountName, AccountDomain, RiskScore, Severity, BruteForceIndicator, LateralMovementIndicator, PersistenceIndicator, TotalEvents, SuccessLogons, FailedLogons, NetworkLogons, UniqueDestinations, Destinations, SourceIPs, ExplicitCredentialUse, OffHoursEvents
| sort - RiskScore
high severity medium confidence

Detects domain account abuse using Windows Security Event logs in Splunk. Ingests EventIDs 4624 (successful logon), 4625 (failed logon), 4648 (explicit credential use), 4672 (special privilege logon), 4697 (service installed), and 4698 (scheduled task created). Computes a composite risk score per account weighted by logon type, time of day, persistence indicators, lateral movement breadth, and brute-force patterns. Flags three key abuse scenarios: brute-force/credential spray success (5+ failures followed by success), lateral movement (3+ unique destinations via network logon), and domain account persistence (service or task installation). Results are severity-bucketed for analyst triage.

Data Sources

Authentication: AuthenticationLogon Session: Logon Session CreationWindows Event Log: Security

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • Legitimate IT administrators performing authorized after-hours maintenance, patching, or incident response across multiple systems
  • Service accounts that traverse many workstations as part of normal operations (e.g., backup agents, antivirus, patch management)
  • Automated software deployment systems (SCCM, Intune, Ansible) that authenticate to many systems in rapid succession
  • Password policy enforcement causing legitimate users to fail multiple times before successfully entering a new password
  • Helpdesk staff using domain admin credentials to perform authorized remote support across multiple machines
Download portable Sigma rule (.yml)

Other platforms for T1078.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Domain Account Network Logon Simulation (PsExec-style)

    Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.

  2. Test 2Domain Account Explicit Credential Use via RunAs

    Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.

  3. Test 3Simulated Domain Account Brute Force Followed by Success

    Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.

  4. Test 4Domain Account Creates Scheduled Task for Persistence

    Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1078Valid Accounts

Related Sub-techniques

T1078.001Default AccountsT1078.003Local AccountsT1078.004Cloud Accounts

Related Techniques

T1078Valid AccountsT1003OS Credential DumpingT1003.001LSASS MemoryT1003.003NTDST1550.002Pass the HashT1550.003Pass the TicketT1558.001Golden TicketT1558.002Silver TicketT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1021.006Windows Remote ManagementT1053.005Scheduled TaskT1098Account ManipulationT1484Domain or Tenant Policy Modification

Same Tactic: Defense Evasion

Popular Detections