Detect Valid Accounts in Elastic Security
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/
Elastic Detection Query
sequence by winlog.event_data.TargetUserName with maxspan=1h
[authentication where
event.code == "4625" and
not winlog.event_data.TargetUserName in~ ("system", "anonymous logon", "-", "local service", "network service") and
not winlog.event_data.TargetUserName like "*$"
] with runs=5
[authentication where
event.code in ("4624", "4648", "4672") and
not winlog.event_data.TargetUserName in~ ("system", "anonymous logon", "-", "local service", "network service") and
(
winlog.event_data.LogonType in ("8", "9", "10") or
event.code == "4672" or
event.code == "4648"
)
]Detects T1078 Valid Accounts abuse using an EQL sequence: 5 or more failed authentication events (Event ID 4625) followed within one hour by a successful logon bearing suspicious characteristics — privileged session creation (4672), explicit alternate credential use (4648), or a high-risk logon type such as NetworkCleartext (type 8), NewCredentials (type 9), or RemoteInteractive (type 10). Sequence correlation eliminates the high false-positive rate of pure threshold approaches by requiring the failure-then-success pattern rather than counting failures alone. Machine accounts (ending in $) and built-in system identities are suppressed.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate users who repeatedly mistype a new password after a forced reset and then successfully authenticate from an RDP session or remote access gateway, satisfying the failure-then-success-with-RemoteInteractive pattern
- IT administrators who run scripted credential validation tests (e.g., Test-ADAuthentication loops) followed by an intentional successful logon to confirm account functionality after a password change
- Service account password rotation workflows where the old credential is attempted several times by a lagging process before the new credential takes effect, followed by a successful logon of type NewCredentials from the updated service
Other platforms for T1078
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Remote Logon (Windows)
Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.
- Test 2Simulate Service Account Lateral Movement via WMI
Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.
- Test 3Simulate Dormant Account Reactivation (Local)
Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.
- Test 4Simulate Cloud Account Compromise via Azure CLI
Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.
- Test 5Test Impossible Travel Detection Trigger
Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.
References (10)
- https://attack.mitre.org/techniques/T1078/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md
- https://www.mandiant.com/resources/blog/unc3944-scattered-spider
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://technet.microsoft.com/en-us/library/dn535501.aspx
Unlock Pro Content
Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.