Detect Valid Accounts in Google Chronicle
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/
YARA-L Detection Query
rule t1078_valid_accounts_failed_then_privileged_logon {
meta:
author = "Detection Engineering"
description = "Detects T1078 Valid Accounts abuse: 5+ failed authentication events followed within one hour by a successful logon with elevated privileges or suspicious authentication mechanism"
mitre_attack_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
mitre_attack_technique = "T1078"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
$fail.metadata.event_type = "USER_LOGIN_FAIL"
$fail.metadata.vendor_name = "Microsoft"
$fail.target.user.userid != ""
not re.regex($fail.target.user.userid, `(?i)^(SYSTEM|ANONYMOUS LOGON|LOCAL SERVICE|NETWORK SERVICE)$`)
not re.regex($fail.target.user.userid, `\$$`)
$user = $fail.target.user.userid
$success.metadata.event_type = "USER_LOGIN"
$success.target.user.userid = $user
(
$success.extensions.auth.auth_details = "NetworkCleartext" or
$success.extensions.auth.auth_details = "NewCredentials" or
$success.extensions.auth.auth_details = "RemoteInteractive" or
$success.extensions.auth.mechanism = "REMOTE" or
$success.security_result.severity_details = "HIGH"
)
match:
$user over 1h
condition:
#fail > 5 and #success >= 1
}Chronicle YARA-L 2.0 rule that correlates USER_LOGIN_FAIL events against USER_LOGIN events in the UDM (Unified Data Model) for the same user identity within a rolling one-hour window. Alerts when more than 5 authentication failures precede at least one successful logon exhibiting a suspicious characteristic: NetworkCleartext or NewCredentials auth details (UDM extension fields mapped from Windows logon types 8/9), RemoteInteractive session, a REMOTE auth mechanism, or a HIGH-severity security result. Machine accounts and system identities are excluded via YARA-L regex. The `#fail` and `#success` counters in the condition block count matched event instances within the match window.
Data Sources
Required Tables
False Positives & Tuning
- Users who repeatedly mistype a complex new password after a forced reset before successfully authenticating via an RDP gateway will satisfy the 5-failure threshold and match RemoteInteractive in the success event
- Automated testing or synthetic monitoring agents that deliberately attempt credential validation (expecting failures) before performing a confirmation successful logon as part of identity health checks
- Azure AD B2B guest account federation flows where the initial authentication attempts fail against the home tenant before succeeding through an external IdP, generating failure UDM events prior to the successful federated logon
Other platforms for T1078
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Remote Logon (Windows)
Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.
- Test 2Simulate Service Account Lateral Movement via WMI
Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.
- Test 3Simulate Dormant Account Reactivation (Local)
Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.
- Test 4Simulate Cloud Account Compromise via Azure CLI
Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.
- Test 5Test Impossible Travel Detection Trigger
Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.
References (10)
- https://attack.mitre.org/techniques/T1078/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md
- https://www.mandiant.com/resources/blog/unc3944-scattered-spider
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://technet.microsoft.com/en-us/library/dn535501.aspx
Unlock Pro Content
Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.