T1078 CrowdStrike LogScale · LogScale

Detect Valid Accounts in CrowdStrike LogScale

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation Defense Evasion
Technique
T1078 Valid Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1078 - Valid Accounts: Anomalous authentication risk scoring via Falcon telemetry
#event_simpleName in ("UserLogon", "UserLogonFailed2", "UserLogonV2")
| IsFailure := if(#event_simpleName = "UserLogonFailed2", "true", "false")
| groupBy([UserName, UserSid], function=[
    count(as=TotalEvents),
    count(filter={IsFailure = "true"}, as=FailedLogons),
    count(filter={IsFailure = "false"}, as=SuccessfulLogons),
    count(distinct=RemoteAddressIP4, as=UniqueSourceIPs),
    count(distinct=ComputerName, as=UniqueHosts),
    collect(RemoteAddressIP4, limit=10, as=SourceIPList),
    collect(ComputerName, limit=10, as=HostList)
  ], limit=10000)
| FailedLogons := toInt(FailedLogons)
| SuccessfulLogons := toInt(SuccessfulLogons)
| UniqueSourceIPs := toInt(UniqueSourceIPs)
| UniqueHosts := toInt(UniqueHosts)
| RiskScore := if(FailedLogons > 5 and SuccessfulLogons > 0, 3, 0)
             + if(UniqueSourceIPs > 3, 2, 0)
             + if(UniqueHosts > 4, 2, 0)
| where RiskScore >= 3
| where UserName != "" and UserName != "-"
| sort(RiskScore, order=desc, limit=100)
high severity medium confidence

LogScale (CQL) query targeting CrowdStrike Falcon authentication telemetry events. Aggregates UserLogon (successful) and UserLogonFailed2 (failed) events per user identity (UserName and UserSid) and computes a risk score equivalent to the SPL detection: 3 points for 5+ failures followed by at least one success, 2 points for authentication spread across more than 3 distinct source IPs, and 2 points for more than 4 unique target hosts. Accounts with a combined risk score of 3 or higher are surfaced. SourceIPList and HostList are collected for analyst triage. Empty or dash usernames are filtered to remove noise from unauthenticated events.

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring (EAM)CrowdStrike Falcon Identity ProtectionCrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName: UserLogon, UserLogonFailed2, UserLogonV2

False Positives & Tuning

  • Falcon sensor deployment or mass update events generate synthetic logon telemetry across large numbers of hosts simultaneously, potentially inflating UniqueHosts counts for system or installer accounts beyond the detection threshold
  • Users connecting to cloud workloads through a cloud access security broker (CASB) or identity proxy that routes authentication through multiple egress IPs within a single session will exceed the UniqueSourceIPs threshold without any malicious activity
  • DevOps pipelines that authenticate a shared service account against multiple ephemeral build agents, Kubernetes nodes, or cloud VM instances during CI/CD runs will consistently exceed both the UniqueHosts and SuccessfulLogons thresholds as normal pipeline behavior
Download portable Sigma rule (.yml)

Other platforms for T1078

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Compromised Account Remote Logon (Windows)

    Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.

  2. Test 2Simulate Service Account Lateral Movement via WMI

    Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.

  3. Test 3Simulate Dormant Account Reactivation (Local)

    Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.

  4. Test 4Simulate Cloud Account Compromise via Azure CLI

    Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.

  5. Test 5Test Impossible Travel Detection Trigger

    Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1078.001Default AccountsT1078.002Domain AccountsT1078.003Local AccountsT1078.004Cloud AccountsT1110Brute ForceT1110.003Password SprayingT1556Modify Authentication ProcessT1098Account ManipulationT1550.002Pass the HashT1550.003Pass the TicketT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1566Phishing

Same Tactic: Initial Access

Popular Detections