Detect Valid Accounts in IBM QRadar
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/
QRadar Detection Query
SELECT
username AS target_user,
DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00') AS event_hour,
COUNT(*) AS total_events,
COUNT(DISTINCT sourceip) AS unique_source_ips,
SUM(CASE WHEN eventid = 4625 THEN eventcount ELSE 0 END) AS failed_logons,
SUM(CASE WHEN eventid = 4672 THEN eventcount ELSE 0 END) AS privileged_logons,
SUM(CASE WHEN eventid = 4648 THEN eventcount ELSE 0 END) AS new_credential_use,
SUM(CASE WHEN eventid = 4624 THEN eventcount ELSE 0 END) AS successful_logons,
MIN(sourceip) AS sample_source_ip
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
AND eventid IN (4624, 4625, 4648, 4672)
AND username NOT IN ('SYSTEM', 'ANONYMOUS LOGON', '-', 'LOCAL SERVICE', 'NETWORK SERVICE')
AND username NOT LIKE '%$'
AND starttime > NOW() - 3600000
GROUP BY
username,
DATEFORMAT(starttime, 'yyyy-MM-dd HH:00:00')
HAVING
failed_logons > 5
OR (unique_source_ips > 3 AND successful_logons > 0)
OR (new_credential_use > 0 AND privileged_logons > 0)
ORDER BY total_events DESC
LAST 1 HOURSAQL query that aggregates Windows Security authentication events (4624 successful logon, 4625 failed logon, 4648 logon with explicit credentials, 4672 special privilege assignment) per user per hour across all Windows Security Event Log sources. Flags accounts meeting any of three risk conditions: more than 5 failed logons, successful logons arriving from more than 3 distinct source IPs within the hour, or the co-occurrence of explicit credential use and privileged session creation. Machine accounts and known system identities are excluded. Mirrors the risk-scoring logic of the SPL detection adapted to QRadar's AQL aggregation model.
Data Sources
Required Tables
False Positives & Tuning
- System administrators who authenticate to many managed workstations from a single jump host generate multiple 4624 events with the same sourceip, but automated inventory or patch management tools may pull credentials from several IPs, inflating unique_source_ips past the threshold during maintenance windows
- Ansible, SCCM, or similar configuration management platforms that authenticate as a service account across dozens of endpoints in parallel within a single hour will reliably exceed the unique_source_ips threshold without any malicious activity
- Helpdesk workflows where staff use RunAs (generating 4648) to launch an elevated tool and then perform privileged operations (generating 4672) during a support ticket are a common and entirely legitimate co-occurrence of new_credential_use and privileged_logons
Other platforms for T1078
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Remote Logon (Windows)
Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.
- Test 2Simulate Service Account Lateral Movement via WMI
Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.
- Test 3Simulate Dormant Account Reactivation (Local)
Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.
- Test 4Simulate Cloud Account Compromise via Azure CLI
Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.
- Test 5Test Impossible Travel Detection Trigger
Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.
References (10)
- https://attack.mitre.org/techniques/T1078/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md
- https://www.mandiant.com/resources/blog/unc3944-scattered-spider
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://technet.microsoft.com/en-us/library/dn535501.aspx
Unlock Pro Content
Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.