title: Domain Accounts (T1078.002)
id: df00tech-t1078-002
status: experimental
description: "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain."
references:
  - https://attack.mitre.org/techniques/T1078/002/
  - https://df00tech.com/detections/T1078.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1078.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT administrators performing authorized after-hours maintenance, patching, or incident response across multiple systems"
  - "Service accounts that traverse many workstations as part of normal operations (e.g., backup agents, antivirus, patch management)"
  - "Automated software deployment systems (SCCM, Intune, Ansible) that authenticate to many systems in rapid succession"
  - Password policy enforcement causing legitimate users to fail multiple times before successfully entering a new password
  - Helpdesk staff using domain admin credentials to perform authorized remote support across multiple machines
level: high