Detect Valid Accounts in Microsoft Sentinel
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/
KQL Detection Query
// Detect anomalous logon patterns indicative of compromised valid accounts
let LookbackDays = 14d;
let AnomalyWindow = 1d;
// Baseline: countries/cities seen per user in lookback window
let UserLocationBaseline = SigninLogs
| where TimeGenerated between (ago(LookbackDays) .. ago(AnomalyWindow))
| where ResultType == 0
| summarize BaselineLocations=make_set(Location), BaselineIPs=make_set(IPAddress), BaselineApps=make_set(AppDisplayName) by UserPrincipalName;
// Recent logons to compare against baseline
let RecentLogons = SigninLogs
| where TimeGenerated > ago(AnomalyWindow)
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName,
DeviceDetail, AuthenticationRequirement, ConditionalAccessStatus,
RiskLevelDuringSignIn, RiskLevelAggregated, IsInteractive;
// Join and find anomalies
RecentLogons
| join kind=leftouter UserLocationBaseline on UserPrincipalName
| extend NewLocation = not(Location in (BaselineLocations))
| extend NewIP = not(IPAddress in (BaselineIPs))
| extend NewApp = not(AppDisplayName in (BaselineApps))
| extend AnomalyScore = toint(NewLocation) + toint(NewIP) + toint(NewApp)
+ toint(RiskLevelDuringSignIn in ("high", "medium"))
+ toint(ConditionalAccessStatus == "notApplied")
| where AnomalyScore >= 2 or RiskLevelDuringSignIn == "high"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName,
NewLocation, NewIP, NewApp, AnomalyScore,
RiskLevelDuringSignIn, RiskLevelAggregated,
ConditionalAccessStatus, AuthenticationRequirement,
IsInteractive, DeviceDetail
| sort by AnomalyScore desc, TimeGenerated descDetects anomalous sign-in patterns in Azure AD / Entra ID that may indicate valid account abuse. Compares recent logons against a 14-day baseline per user to identify new geolocations, new IP addresses, new application access, elevated risk scores, and missing Conditional Access enforcement. An anomaly score of 2+ triggers the alert. Covers Initial Access via external services and Persistence via re-authentication.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate travel — users accessing resources from new countries or cities during business travel
- VPN or proxy changes — users switching VPN exit nodes causing IP and apparent location changes
- New device enrollment — first-time access from a newly provisioned corporate device triggers 'new IP' anomaly
- After-hours legitimate access — on-call engineers or executives working outside normal hours from home networks
- Conditional Access policy rollout periods — new CA policies may temporarily show as 'notApplied' during staged deployment
Other platforms for T1078
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Remote Logon (Windows)
Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.
- Test 2Simulate Service Account Lateral Movement via WMI
Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.
- Test 3Simulate Dormant Account Reactivation (Local)
Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.
- Test 4Simulate Cloud Account Compromise via Azure CLI
Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.
- Test 5Test Impossible Travel Detection Trigger
Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.
References (10)
- https://attack.mitre.org/techniques/T1078/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md
- https://www.mandiant.com/resources/blog/unc3944-scattered-spider
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://technet.microsoft.com/en-us/library/dn535501.aspx
Unlock Pro Content
Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.