Detect Domain Accounts in Sumo Logic CSE
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.002 Domain Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/002/
Sumo Detection Query
// T1078.002 — Domain Account Abuse | Sumo Logic CSE / CIP Query
// Covers: brute-force success, lateral movement, off-hours logon, persistence
_sourceCategory=*windows* OR _sourceCategory=*wineventlog* OR _sourceCategory=*security*
| parse field=_raw "EventCode=*" as EventCode nodrop
| parse field=_raw "TargetUserName=*" as TargetUserName nodrop
| parse field=_raw "TargetDomainName=*" as TargetDomainName nodrop
| parse field=_raw "SubjectUserName=*" as SubjectUserName nodrop
| parse field=_raw "SubjectDomainName=*" as SubjectDomainName nodrop
| parse field=_raw "LogonType=*" as LogonType nodrop
| parse field=_raw "IpAddress=*" as SourceIP nodrop
| parse field=_raw "ComputerName=*" as DestHost nodrop
// Normalize account fields
| eval AccountName = if (!isNull(TargetUserName) && TargetUserName != "", TargetUserName, SubjectUserName)
| eval AccountDomain = if (!isNull(TargetDomainName) && TargetDomainName != "", TargetDomainName, SubjectDomainName)
// Filter: valid domain accounts only, exclude machine accounts and system domains
| where AccountDomain != "" && AccountDomain != "NT AUTHORITY" && AccountDomain != "Window Manager" && AccountDomain != "Font Driver Host"
| where !matches(AccountName, "*$")
| where EventCode in ("4624", "4625", "4648", "4672", "4697", "4698")
// Classify events
| eval IsSuccess = if(EventCode == "4624", 1, 0)
| eval IsFailure = if(EventCode == "4625", 1, 0)
| eval IsNetworkLogon = if(EventCode == "4624" && LogonType == "3", 1, 0)
| eval IsRemoteInteractive = if(EventCode == "4624" && LogonType == "10", 1, 0)
| eval IsExplicitCred = if(EventCode == "4648", 1, 0)
| eval IsPersistence = if(EventCode == "4697" || EventCode == "4698", 1, 0)
| eval Hour = formatDate(_messageTime, "HH") | eval Hour = toInt(Hour)
| eval IsOffHours = if(Hour < 7 || Hour > 19, 1, 0)
// Aggregate per account over lookback window
| timeslice 24h
| stats
sum(IsSuccess) as SuccessLogons,
sum(IsFailure) as FailedLogons,
sum(IsNetworkLogon) as NetworkLogons,
sum(IsRemoteInteractive) as RemoteInteractiveLogons,
sum(IsExplicitCred) as ExplicitCredUse,
sum(IsPersistence) as PersistenceEvents,
sum(IsOffHours) as OffHoursEvents,
dcount(DestHost) as UniqueDestinations,
values(DestHost) as DestinationHosts,
values(SourceIP) as SourceIPs
by AccountName, AccountDomain, _timeslice
// Risk scoring (mirrors SPL logic)
| eval RiskScore = SuccessLogons
+ (FailedLogons * 0.5)
+ (NetworkLogons * 2)
+ (RemoteInteractiveLogons * 2)
+ (OffHoursEvents * 3)
+ (ExplicitCredUse * 4)
+ (PersistenceEvents * 5)
+ if(UniqueDestinations >= 3, UniqueDestinations * 2, 0)
+ if(FailedLogons >= 5 && SuccessLogons >= 1, 20, 0)
// Indicator flags
| eval BruteForceIndicator = if(FailedLogons >= 5 && SuccessLogons >= 1, "YES", "NO")
| eval LateralMovementIndicator = if(UniqueDestinations >= 3 && NetworkLogons >= 3, "YES", "NO")
| eval PersistenceIndicator = if(PersistenceEvents >= 1, "YES", "NO")
// Severity classification
| eval Severity = if(RiskScore >= 50, "Critical",
if(RiskScore >= 25, "High",
if(RiskScore >= 10, "Medium", "Low")))
// Filter actionable results
| where RiskScore >= 10
| fields _timeslice, AccountName, AccountDomain, RiskScore, Severity,
BruteForceIndicator, LateralMovementIndicator, PersistenceIndicator,
SuccessLogons, FailedLogons, NetworkLogons, UniqueDestinations,
DestinationHosts, SourceIPs, ExplicitCredUse, OffHoursEvents, PersistenceEvents
| sort by RiskScore descDetects T1078.002 Domain Account Abuse in Sumo Logic CIP using a risk-scoring approach across Windows Security Event Log data. Ingests event codes 4624, 4625, 4648, 4672, 4697, and 4698 from Windows event log source categories. Computes a weighted RiskScore per domain account: brute-force success (+20), off-hours activity (+3/event), persistence installation (+5/event), lateral movement to 3+ hosts (multiplier), and explicit credential use (+4/event). Surfaces accounts with RiskScore >= 10 with severity classification and behavioral indicator flags.
Data Sources
Required Tables
False Positives & Tuning
- DevOps CI/CD pipelines using a shared domain service account to deploy to multiple servers simultaneously, generating high UniqueDestinations counts and network logon activity that exceeds the lateral movement threshold.
- Security scanners or vulnerability assessment tools authenticating as a domain account across the estate during off-hours scans, producing both off-hours logon and multi-host signals.
- Password reset workflows that generate multiple 4625 events (wrong password entered during reset) immediately followed by a 4624 on the final correct attempt, matching the brute-force success pattern.
Other platforms for T1078.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Domain Account Network Logon Simulation (PsExec-style)
Expected signal: EventID 4648 on source: Explicit credential logon with TargetServerName=TARGET_HOSTNAME and TargetUserName=username. EventID 4624 Type 3 on TARGET_HOSTNAME: TargetUserName=username, IpAddress=source IP. EventID 4672 on TARGET_HOSTNAME if account is in local admins. EventID 5140 on TARGET_HOSTNAME: Network share C$ accessed. Sysmon EventID 3 if net.exe network connections are monitored.
- Test 2Domain Account Explicit Credential Use via RunAs
Expected signal: EventID 4648 on local system: SubjectUserName=current user, TargetUserName=alternate_user, TargetDomainName=DOMAIN, ProcessName=runas.exe. EventID 4624 Type 9 (NewCredentials) on local system for the spawned cmd.exe process. Sysmon EventID 1: Process Create for runas.exe with AccountName=alternate_user context.
- Test 3Simulated Domain Account Brute Force Followed by Success
Expected signal: 6x EventID 4625 on DC_HOSTNAME: Logon failures for DOMAIN\testuser with LogonType=3, FailureReason=0xC000006A (wrong password). 1x EventID 4624 Type 3 on DC_HOSTNAME: Successful logon. EventID 4776 on DC: NTLM validation attempts. The pattern of failures followed by success is the primary detection signal.
- Test 4Domain Account Creates Scheduled Task for Persistence
Expected signal: EventID 4698 (Scheduled Task Created): SubjectUserName=current user, TaskName=WindowsDefenderUpdate, TaskContent includes the command and RunAs=DOMAIN\svc_account. Sysmon EventID 1: schtasks.exe process creation with full command line. If Sysmon registry monitoring is enabled, EventID 12/13 for Task Scheduler registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
References (12)
- https://attack.mitre.org/techniques/T1078/002/
- https://technet.microsoft.com/en-us/library/dn535501.aspx
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.002/T1078.002.md
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
Unlock Pro Content
Get the full detection package for T1078.002 including response playbook, investigation guide, and atomic red team tests.