Detect Valid Accounts in Sumo Logic CSE
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*WinEventLog* OR _sourceCategory=*Security*
| where EventCode in ("4624", "4625", "4648", "4672")
| parse regex field=Message "Account Name:\\s+(?<TargetUserName>\\S+)" nodrop
| parse regex field=Message "Account Domain:\\s+(?<TargetDomainName>\\S+)" nodrop
| parse regex field=Message "Logon Type:\\s+(?<LogonType>\\d+)" nodrop
| parse regex field=Message "Source Network Address:\\s+(?<SourceIP>[^\\s\\r\\n]+)" nodrop
| where TargetUserName != "SYSTEM" and TargetUserName != "ANONYMOUS LOGON" and TargetUserName != "-"
| where !(TargetUserName matches /.*\$$/)
| where SourceIP != "-" and !(SourceIP matches /^$/)
| eval IsFailed = if(EventCode == "4625", 1, 0)
| eval IsPrivileged = if(EventCode == "4672", 1, 0)
| eval IsNewCreds = if(EventCode == "4648", 1, 0)
| eval IsSuspiciousLogon = if(LogonType in ("8", "9"), 1, 0)
| eval IsAdminAccount = if(TargetUserName matches /(?i)(admin|svc|service|sa_|_svc|robot|automation)/, 1, 0)
| timeslice 1h
| stats sum(IsFailed) as FailedLogons,
sum(IsPrivileged) as PrivilegedLogons,
sum(IsNewCreds) as NewCredentialUse,
sum(IsSuspiciousLogon) as SuspiciousLogons,
sum(IsAdminAccount) as AdminAccountEvents,
count_distinct(SourceIP) as UniqueSourceIPs,
count as TotalEvents
by _timeslice, TargetUserName, TargetDomainName
| eval RiskScore = (SuspiciousLogons * 2)
+ if(FailedLogons > 5 and PrivilegedLogons > 0, 3, 0)
+ if(UniqueSourceIPs > 3, 2, 0)
+ NewCredentialUse
+ (AdminAccountEvents > 0 ? 1 : 0)
| where RiskScore >= 3
| sort by RiskScore descParses Windows Security authentication events ingested by a Sumo Logic Installed Collector, extracts logon metadata from the raw Message field using regex, and computes a per-user hourly risk score equivalent to the Splunk detection. Weights suspicious logon types (NetworkCleartext type 8, NewCredentials type 9), the combination of failed-then-privileged access, multiple source IPs, explicit credential re-use, and admin-pattern account names. Machine accounts (names ending in $) and events with null source IPs are excluded to reduce noise.
Data Sources
Required Tables
False Positives & Tuning
- Users connecting through Citrix Virtual Apps or a terminal services gateway may authenticate from multiple backend proxy IPs within a single hour, inflating UniqueSourceIPs past the threshold without any credential compromise
- Robotic Process Automation (RPA) tools that use NetworkCleartext (type 8) logons against legacy web applications or mainframe connectors as part of scheduled automation workflows will consistently score as suspicious logon types
- Shared administrator accounts used simultaneously by multiple helpdesk analysts from their individual workstations generate high UniqueSourceIPs counts and may also trigger admin-account pattern matching even during fully authorized operations
Other platforms for T1078
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Compromised Account Remote Logon (Windows)
Expected signal: Security Event ID 4648 on source host (explicit credential logon with alternate credentials). Security Event ID 4624 LogonType=3 (network) on target host. Sysmon Event ID 3 (network connection) from cmd.exe to TARGET_HOST:445. Security Event ID 4672 if USERNAME has special privileges.
- Test 2Simulate Service Account Lateral Movement via WMI
Expected signal: Security Event ID 4648 on initiating host. Security Event ID 4624 LogonType=3 on TARGET_HOST. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe on TARGET_HOST. Sysmon Event ID 3 showing DCOM/WMI network traffic to TARGET_HOST:135.
- Test 3Simulate Dormant Account Reactivation (Local)
Expected signal: Security Event ID 4720 (account created). Security Event ID 4725 (account disabled). Security Event ID 4722 (account enabled — key indicator of reactivation). Security Event ID 4624 LogonType=2 (interactive) for df00tech_dormant. Audit event for account enabling action.
- Test 4Simulate Cloud Account Compromise via Azure CLI
Expected signal: Azure AD SigninLogs entry with UserPrincipalName=compromised_user, AppDisplayName='Microsoft Azure CLI', ClientAppUsed='Other clients', AuthenticationRequirement='singleFactorAuthentication' (if no MFA). Azure Audit Log entries for resource enumeration. Entra ID Protection may generate a risk detection if login is from an unexpected location.
- Test 5Test Impossible Travel Detection Trigger
Expected signal: Two SigninLogs entries for [email protected]: first from US IP, second from EU IP approximately 2 minutes later. Entra ID Protection should generate an 'Impossible Travel' risk detection. Both entries appear in the 24h window, different Location fields.
References (10)
- https://attack.mitre.org/techniques/T1078/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md
- https://www.mandiant.com/resources/blog/unc3944-scattered-spider
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
- https://technet.microsoft.com/en-us/library/dn535501.aspx
Unlock Pro Content
Get the full detection package for T1078 including response playbook, investigation guide, and atomic red team tests.