EXPLORE
← Back to Explore
T1078

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credent...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
297
Detections
5
Sources
45
Threat Actors

BY SOURCE

189elastic55sigma34splunk_escu12crowdstrike_cql7kql

PROCEDURES (110)

Authentication Monitoring20 detections

Auto-extracted: 20 detections for authentication monitoring

Privilege18 detections

Auto-extracted: 18 detections for privilege

General Monitoring16 detections

Auto-extracted: 16 detections for general monitoring

Oauth7 detections

Auto-extracted: 7 detections for oauth

Cloud7 detections

Auto-extracted: 7 detections for cloud

Bypass7 detections

Auto-extracted: 7 detections for bypass

Brute Force6 detections

Auto-extracted: 6 detections for brute force

Credential6 detections

Auto-extracted: 6 detections for credential

Persist5 detections

Auto-extracted: 5 detections for persist

C25 detections

Auto-extracted: 5 detections for c2

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Powershell4 detections

Auto-extracted: 4 detections for powershell

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Unusual4 detections

Auto-extracted: 4 detections for unusual

Lateral4 detections

Auto-extracted: 4 detections for lateral

Api4 detections

Auto-extracted: 4 detections for api

Service4 detections

Auto-extracted: 4 detections for service

Cloud4 detections

Auto-extracted: 4 detections for cloud

Aws4 detections

Auto-extracted: 4 detections for aws

Aws3 detections

Auto-extracted: 3 detections for aws

Spray3 detections

Auto-extracted: 3 detections for spray

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Event Log3 detections

Auto-extracted: 3 detections for event log

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Remote3 detections

Auto-extracted: 3 detections for remote

Cloud3 detections

Auto-extracted: 3 detections for cloud

Persist3 detections

Auto-extracted: 3 detections for persist

Azure3 detections

Auto-extracted: 3 detections for azure

Cloud Monitoring3 detections

Auto-extracted: 3 detections for cloud monitoring

Oauth3 detections

Auto-extracted: 3 detections for oauth

Email2 detections

Auto-extracted: 2 detections for email

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

C22 detections

Auto-extracted: 2 detections for c2

Tamper2 detections

Auto-extracted: 2 detections for tamper

Saml2 detections

Auto-extracted: 2 detections for saml

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Privilege2 detections

Auto-extracted: 2 detections for privilege

Privilege2 detections

Auto-extracted: 2 detections for privilege

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Bypass2 detections

Auto-extracted: 2 detections for bypass

Service2 detections

Auto-extracted: 2 detections for service

Email2 detections

Auto-extracted: 2 detections for email

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Spray2 detections

Auto-extracted: 2 detections for spray

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Unusual2 detections

Auto-extracted: 2 detections for unusual

Service2 detections

Auto-extracted: 2 detections for service

Lateral2 detections

Auto-extracted: 2 detections for lateral

Privilege2 detections

Auto-extracted: 2 detections for privilege

Service2 detections

Auto-extracted: 2 detections for service

Anomal2 detections

Auto-extracted: 2 detections for anomal

Script Block1 detections

Auto-extracted: 1 detections for script block

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Api1 detections

Auto-extracted: 1 detections for api

Remote1 detections

Auto-extracted: 1 detections for remote

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Container1 detections

Auto-extracted: 1 detections for container

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Saml1 detections

Auto-extracted: 1 detections for saml

Api1 detections

Auto-extracted: 1 detections for api

Http1 detections

Auto-extracted: 1 detections for http

Phish1 detections

Auto-extracted: 1 detections for phish

Lateral1 detections

Auto-extracted: 1 detections for lateral

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Unusual1 detections

Auto-extracted: 1 detections for unusual

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Anomal1 detections

Auto-extracted: 1 detections for anomal

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Unusual1 detections

Auto-extracted: 1 detections for unusual

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Anomal1 detections

Auto-extracted: 1 detections for anomal

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Email Security1 detections

Auto-extracted: 1 detections for email security

Oauth1 detections

Auto-extracted: 1 detections for oauth

Script Block1 detections

Auto-extracted: 1 detections for script block

Anomal1 detections

Auto-extracted: 1 detections for anomal

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Token1 detections

Auto-extracted: 1 detections for token

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Phish1 detections

Auto-extracted: 1 detections for phish

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Api1 detections

Auto-extracted: 1 detections for api

Anomal1 detections

Auto-extracted: 1 detections for anomal

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Privilege1 detections

Auto-extracted: 1 detections for privilege

DETECTIONS (297)

Access to a Sensitive LDAP Attribute
elasticmedium
Account Created And Deleted Within A Close Time Frame
sigmahigh
Account Discovery Command via SYSTEM Account
elasticlow
Account Enabled (Microsoft Defender for Identity)
crowdstrike_cql
Account Tampering - Suspicious Failed Logon Reasons
sigmamedium
Active Directory Activity
crowdstrike_cql
Active Directory Activity
crowdstrike_cql
Activity From Anonymous IP Address
sigmahigh
AdminSDHolder Backdoor
elastichigh
AdminSDHolder SDProp Exclusion Added
elastichigh
Apple Scripting Execution with Administrator Privileges
elasticmedium
Application Using Device Code Authentication Flow
sigmamedium
Applications That Are Using ROPC Authentication Flow
sigmamedium
ASL AWS SAML Update identity provider
splunk_escu
Attempt to Enable the Root Account
elasticmedium
Atypical Travel
sigmahigh
Authentications To Important Apps Using Single Factor Authentication
sigmamedium
AWS Access Token Used from Multiple Addresses
elasticmedium
AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN
elastichigh
AWS Bedrock API Key Phantom User Activity Outside Bedrock
elastichigh
AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key
elastichigh
AWS Bedrock Invoke Model Access Denied
splunk_escu
AWS CloudShell Environment Created
elastichigh
AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
elastichigh
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Instance Profile Associated with Running Instance
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS IAM API Calls via Temporary Session Tokens
elastichigh
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
AWS IAM OIDC Provider Created by Rare User
elastichigh
AWS IAM SAML Provider Created
elastichigh
AWS IAM Sensitive Operations via Lambda Execution Role
elastichigh
AWS IAM User Console Login from Multiple Geolocations
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elastichigh
AWS Key Pair Import Activity
sigmamedium
AWS Management Console Root Login
elasticmedium
AWS Rare Source AS Organization Activity
elastichigh
AWS SAML Update identity provider
splunk_escu
AWS Sign-In Console Login with Federated User
elasticmedium
AWS Sign-In Root Password Recovery Requested
elastichigh
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS AssumeRoot by Rare User and Member Account
elastichigh
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
AWS Suspicious User Agent Fingerprint
elastichigh
Azure AD Graph Access with Unusual User and ASN
elasticmedium
Azure AD Multiple AppIDs and UserAgents Authentication Spike
splunk_escu
Azure AD Threat Intelligence
sigmahigh
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Automation Account Created
elasticlow
Azure Domain Federation Settings Modified
sigmamedium
Azure Kubernetes Admission Controller
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Azure Login Bypassing Conditional Access Policies
sigmahigh
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Keys Accessed by Privileged User
elasticmedium
Azure Subscription Permission Elevation Via AuditLogs
sigmahigh
Azure Unusual Authentication Interruption
sigmamedium
Azure VM Serial Console Connection with Unusual User and ASN
elasticmedium
CA Application SignIn Failures
kql
CA User SignIn Failures
kql
Cisco BGP Authentication Failures
sigmalow
Cisco Duo - Atypical Travel (Impossible Travel)
crowdstrike_cql
Cisco IOS Suspicious Privileged Account Creation
splunk_escu
Cisco LDP Authentication Failures
sigmalow
Cisco Privileged Account Creation with HTTP Command Execution
splunk_escu
Cisco Privileged Account Creation with Suspicious SSH Activity
splunk_escu
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cloud API Calls From Previously Unseen User Roles
splunk_escu
Cloud Persistence Activities by User At Risk
kql
Cloud Provisioning Activity From Previously Unseen City
splunk_escu
Cloud Provisioning Activity From Previously Unseen Country
splunk_escu
Cloud Provisioning Activity From Previously Unseen IP Address
splunk_escu
Cloud Provisioning Activity From Previously Unseen Region
splunk_escu
CyberArk Privileged Access Security Error
elastichigh
CyberArk Privileged Access Security Recommended Monitor
elastichigh
Delegated Managed Service Account Modification by an Unusual User
elastichigh
Detection of Generic User Account Usage
crowdstrike_cql
Detection of Generic User Account Usage
crowdstrike_cql
dMSA Account Creation by an Unusual User
elastichigh
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID AiTM Phishing-Kit Chain Detected
elastichigh
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID Conditional Access MFA Bypass with Unusual User, Client and Source ASN
elasticmedium
Entra ID External Guest User Invited
elasticlow
Entra ID High Risk Sign-in
elastichigh
Entra ID High Risk User Sign-in Heuristic
elasticmedium
Entra ID Kali365 Default User-Agent Detected
elastichigh
Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
elastichigh
Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
elastichigh
Entra ID Multiple Device Registrations by a Single User
elasticmedium
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Flow with Concurrent Sign-ins
elastichigh
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Device Code Phishing via AiTM
elastichigh
Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration
elastichigh
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth ROPC Grant Login Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
Entra ID Privileged Identity Management (PIM) Role Modified
elasticmedium
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Entra ID Protection Admin Confirmed Compromise
elasticcritical
Entra ID Protection Alerts for User Detected
elastichigh
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elastichigh
Entra ID Service Principal with Unusual Source ASN
elasticmedium
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
Entra ID Temporary Access Pass Created for User
elastichigh
Entra ID User Added as Service Principal Owner
elasticlow
Entra ID User Reported Suspicious Activity
elasticmedium
Entra ID User Sign-In via Unusual Legacy Authentication Client
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
ESXi Account Modified
splunk_escu
ESXi External Root Login Activity
splunk_escu
ESXi Shared or Stolen Root Account
splunk_escu
ESXi User Granted Admin Role
splunk_escu
Execution with Explicit Credentials via Scripting
elasticmedium
External Remote RDP Logon from Public IP
sigmamedium
External Remote SMB Logon from Public IP
sigmahigh
External User Added to Google Workspace Group
elasticmedium
Failed Logon From Public IP
sigmamedium
First Occurrence of Okta User Session Started via Proxy
elasticmedium
First Time Seen Account Performing DCSync
elastichigh
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
First-Time FortiGate Administrator Login
elastichigh
FortiGate Administrator Login from Multiple IP Addresses
elastichigh
FortiGate FortiCloud SSO Login from Unusual Source
elasticmedium
FortiGate SSL VPN Login Followed by SIEM Alert by User
elasticmedium
GCP Detect gcploit framework
splunk_escu
GCP IAM Custom Role Creation
elastichigh
Geographic Improbable Location
splunk_escu
Github Activity on a Private Repository from an Unusual IP
elasticlow
Google Cloud Kubernetes Admission Controller
sigmamedium
Google Workspace Device Registration Burst for Single User
elasticmedium
Google Workspace Government Attack Warning
sigmamedium
Google Workspace Impossible Travel Login
elastichigh
Google Workspace Suspended User Account Renewed
elastichigh
Google Workspace User Login with Unusual ASN
elasticlow
Google Workspace User Sign-in from Atypical Device Type
elasticmedium
Guest Account Enabled Via Sysadminctl
sigmalow
Guest Users Invited To Tenant By Non Approved Inviters
sigmamedium
High Command Line Entropy Detected for Privileged Commands
elasticlow
High Number of Okta User Password Reset or Unlock Attempts
elasticmedium
Honeytoken Account Logon Activity
crowdstrike_cql
Honeytoken Account Logon Activity
crowdstrike_cql
Huawei BGP Authentication Failures
sigmalow
Impossible Travel
sigmahigh
Increased Failed Authentications Of Any Type
sigmamedium
Invalid PIM License
sigmahigh
Juniper BGP Missing MD5
sigmalow
Kerberos Pre-authentication Disabled for User
elasticmedium
Kubeconfig File Creation or Modification
elasticmedium
Kubernetes Admission Controller Modification
sigmamedium
Kubernetes Anonymous Request Authorized by Unusual User Agent
elasticmedium
Kubernetes Suspicious Assignment of Controller Service Account
elasticmedium
Kubernetes Unusual Decision by User Agent
elasticlow
Logon from a Risky IP Address
sigmamedium
M365 Copilot Application Usage Pattern Anomalies
splunk_escu
M365 Copilot Session Origin Anomalies
splunk_escu
M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)
elasticmedium
M365 Identity Device Code Grant with Unusual User and ASN
elastichigh
M365 Identity Login from Atypical Region
elasticmedium
M365 Identity Login from Impossible Travel Location
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
M365 Identity OAuth Phishing via First-Party Microsoft Application
elastichigh
M365 Identity OAuth ROPC Grant via Legacy Authentication Client
elasticmedium
M365 Identity Unusual SSO Authentication Errors for User
elasticmedium
M365 Identity User Account Lockouts
elasticmedium
M365 or Entra ID Identity Sign-in from a Suspicious Source
elastichigh
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
sigmahigh
Measurable Increase Of Successful Authentications
sigmalow
Microsoft 365 - Impossible Travel Activity
sigmamedium
Microsoft Entra ID Impossible Travel Sign-in
elastichigh
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Mounting Hidden or WebDav Remote Shares
elasticmedium
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
elasticmedium
Multiple Sensitive Group Additions From Commandline
kql
New Authentication App Detected
kql
New Country
sigmahigh
O365 Multiple AppIDs and UserAgents Authentication Spike
splunk_escu
Okta Alerts Following Unusual Proxy Authentication
elastichigh
Okta Non-Standard VPN Usage
splunk_escu
Okta Risk Threshold Exceeded
splunk_escu
Okta Sign-In Events via Third-Party IdP
elasticmedium
Okta Successful Login After Credential Attack
elastichigh
Okta User Session Impersonation
elastichigh
Okta User Sessions Started from Different Geolocations
elasticmedium