T1078 Splunk · SPL

Detect Valid Accounts in Splunk

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation Defense Evasion
Technique
T1078 Valid Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="WinEventLog:Security"
  (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4672)
| eval LogonType=case(
    LogonType=="2", "Interactive",
    LogonType=="3", "Network",
    LogonType=="4", "Batch",
    LogonType=="5", "Service",
    LogonType=="7", "Unlock",
    LogonType=="8", "NetworkCleartext",
    LogonType=="9", "NewCredentials",
    LogonType=="10", "RemoteInteractive",
    LogonType=="11", "CachedInteractive",
    true(), "Unknown_"+LogonType)
| eval IsPrivileged=if(EventCode=="4672", 1, 0)
| eval IsFailed=if(EventCode=="4625", 1, 0)
| eval IsNewCredentials=if(EventCode=="4648", 1, 0)
| eval SuspiciousLogonType=if(LogonType IN ("NetworkCleartext", "NewCredentials"), 1, 0)
| eval IsAdminAccount=if(match(lower(TargetUserName), "(admin|svc|service|sa_|_svc|robot|automation)"), 1, 0)
| stats count as TotalEvents,
        sum(IsFailed) as FailedLogons,
        sum(IsPrivileged) as PrivilegedLogons,
        sum(IsNewCredentials) as NewCredentialUse,
        sum(SuspiciousLogonType) as SuspiciousLogonTypes,
        values(LogonType) as LogonTypes,
        values(IpAddress) as SourceIPs,
        dc(IpAddress) as UniqueSourceIPs,
        values(WorkstationName) as Workstations,
        dc(WorkstationName) as UniqueWorkstations
  by TargetUserName, TargetDomainName, _time span=1h
| eval RiskScore=SuspiciousLogonTypes*2 + if(FailedLogons>5 AND PrivilegedLogons>0, 3, 0)
               + if(UniqueSourceIPs>3, 2, 0) + if(UniqueWorkstations>4, 2, 0)
               + NewCredentialUse
| where RiskScore >= 3
| table _time, TargetUserName, TargetDomainName, TotalEvents, FailedLogons,
        PrivilegedLogons, NewCredentialUse, UniqueSourceIPs, SourceIPs,
        UniqueWorkstations, LogonTypes, RiskScore
| sort - RiskScore
high severity medium confidence

Detects suspicious account usage patterns using Windows Security Event logs. Aggregates logon events (4624 successful, 4625 failed, 4648 explicit credential use, 4672 special privilege logon) per user per hour and computes a risk score. High risk scores emerge from: suspicious logon types (cleartext/new credentials), failed logons preceding privilege use, multiple source IPs, and widespread workstation access — patterns consistent with credential abuse by APT41, FIN8, Volt Typhoon, and Scattered Spider.

Data Sources

Logon Session: Logon Session CreationUser Account: User Account AuthenticationWindows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • Service accounts performing scheduled tasks across multiple hosts — these legitimately generate high-volume network logon events from multiple workstations
  • IT administrators managing servers via RDP or PSRemoting — legitimate multi-workstation remote interactive logons from admin accounts
  • Password synchronization tools and SSO solutions causing 4648 (explicit credential) events in bulk during sync cycles
  • Backup agents and monitoring software authenticating to multiple endpoints — creates legitimate multi-source-IP logon patterns
  • Domain controller replication events generating multiple 4624 type 3 (network) logons between DCs
Download portable Sigma rule (.yml)

Other platforms for T1078

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Compromised Account Remote Logon (Windows)

    Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.

  2. Test 2Simulate Service Account Lateral Movement via WMI

    Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.

  3. Test 3Simulate Dormant Account Reactivation (Local)

    Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.

  4. Test 4Simulate Cloud Account Compromise via Azure CLI

    Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.

  5. Test 5Test Impossible Travel Detection Trigger

    Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1078.001Default AccountsT1078.002Domain AccountsT1078.003Local AccountsT1078.004Cloud AccountsT1110Brute ForceT1110.003Password SprayingT1556Modify Authentication ProcessT1098Account ManipulationT1550.002Pass the HashT1550.003Pass the TicketT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1566Phishing

Same Tactic: Initial Access

Popular Detections