EXPLORE
Sign In
← Back to Explore
T1078

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credent...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
252
Detections
4
Sources
44
Threat Actors

BY SOURCE

161elastic54sigma32splunk_escu5crowdstrike_cql

PROCEDURES (101)

Privilege18 detections

Auto-extracted: 18 detections for privilege

Authentication Monitoring16 detections

Auto-extracted: 16 detections for authentication monitoring

General Monitoring14 detections

Auto-extracted: 14 detections for general monitoring

Cloud7 detections

Auto-extracted: 7 detections for cloud

Bypass7 detections

Auto-extracted: 7 detections for bypass

Persist7 detections

Auto-extracted: 7 detections for persist

Azure6 detections

Auto-extracted: 6 detections for azure

Exfiltrat5 detections

Auto-extracted: 5 detections for exfiltrat

Credential5 detections

Auto-extracted: 5 detections for credential

Spray4 detections

Auto-extracted: 4 detections for spray

Api4 detections

Auto-extracted: 4 detections for api

Lateral4 detections

Auto-extracted: 4 detections for lateral

Unusual4 detections

Auto-extracted: 4 detections for unusual

Aws4 detections

Auto-extracted: 4 detections for aws

Powershell4 detections

Auto-extracted: 4 detections for powershell

Aws4 detections

Auto-extracted: 4 detections for aws

Anomal4 detections

Auto-extracted: 4 detections for anomal

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Oauth3 detections

Auto-extracted: 3 detections for oauth

Token3 detections

Auto-extracted: 3 detections for token

Remote3 detections

Auto-extracted: 3 detections for remote

Lateral3 detections

Auto-extracted: 3 detections for lateral

Brute Force3 detections

Auto-extracted: 3 detections for brute force

C23 detections

Auto-extracted: 3 detections for c2

Cloud3 detections

Auto-extracted: 3 detections for cloud

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Cloud Monitoring3 detections

Auto-extracted: 3 detections for cloud monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Remote3 detections

Auto-extracted: 3 detections for remote

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Saml3 detections

Auto-extracted: 3 detections for saml

Event Log3 detections

Auto-extracted: 3 detections for event log

Service2 detections

Auto-extracted: 2 detections for service

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Spray2 detections

Auto-extracted: 2 detections for spray

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Cloud2 detections

Auto-extracted: 2 detections for cloud

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Saml2 detections

Auto-extracted: 2 detections for saml

Unusual2 detections

Auto-extracted: 2 detections for unusual

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Persist2 detections

Auto-extracted: 2 detections for persist

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Bypass2 detections

Auto-extracted: 2 detections for bypass

Email2 detections

Auto-extracted: 2 detections for email

Service2 detections

Auto-extracted: 2 detections for service

Privilege2 detections

Auto-extracted: 2 detections for privilege

Tamper2 detections

Auto-extracted: 2 detections for tamper

Privilege2 detections

Auto-extracted: 2 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Http1 detections

Auto-extracted: 1 detections for http

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

C21 detections

Auto-extracted: 1 detections for c2

Api1 detections

Auto-extracted: 1 detections for api

Lateral1 detections

Auto-extracted: 1 detections for lateral

Token1 detections

Auto-extracted: 1 detections for token

Unusual1 detections

Auto-extracted: 1 detections for unusual

Container1 detections

Auto-extracted: 1 detections for container

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Azure1 detections

Auto-extracted: 1 detections for azure

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Http1 detections

Auto-extracted: 1 detections for http

Cloud1 detections

Auto-extracted: 1 detections for cloud

Privilege1 detections

Auto-extracted: 1 detections for privilege

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Phish1 detections

Auto-extracted: 1 detections for phish

Email1 detections

Auto-extracted: 1 detections for email

Phish1 detections

Auto-extracted: 1 detections for phish

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Anomal1 detections

Auto-extracted: 1 detections for anomal

Persist1 detections

Auto-extracted: 1 detections for persist

Azure1 detections

Auto-extracted: 1 detections for azure

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Phish1 detections

Auto-extracted: 1 detections for phish

Azure1 detections

Auto-extracted: 1 detections for azure

Cloud1 detections

Auto-extracted: 1 detections for cloud

Remote1 detections

Auto-extracted: 1 detections for remote

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Email Security1 detections

Auto-extracted: 1 detections for email security

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Api1 detections

Auto-extracted: 1 detections for api

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Anomal1 detections

Auto-extracted: 1 detections for anomal

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Http1 detections

Auto-extracted: 1 detections for http

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Unusual1 detections

Auto-extracted: 1 detections for unusual

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (44)

AkiraAPT18APT28APT29APT33APT39APT41AxiomBlackByteCarbanakChimeraCinnamon TempestDragonflyFIN10FIN4FIN5FIN6FIN7FIN8Fox KittenGALLIUMINC RansomIndrik SpiderKe3changLAPSUS$Lazarus GroupLeviathanMedusa GroupmenuPassOilRigPittyTigerPlayPOLONIUMSandworm TeamScattered SpiderSea TurtleSilenceSilent LibrarianStar BlizzardSuckflyThreat Group-3390UNC3886Volt TyphoonWizard Spider

DETECTIONS (252)

Access to a Sensitive LDAP Attribute
elasticmedium
Account Created And Deleted Within A Close Time Frame
sigmahigh
Account Discovery Command via SYSTEM Account
elasticlow
Account Tampering - Suspicious Failed Logon Reasons
sigmamedium
Active Directory Activity
crowdstrike_cql
Activity From Anonymous IP Address
sigmahigh
AdminSDHolder Backdoor
elastichigh
AdminSDHolder SDProp Exclusion Added
elastichigh
Apple Scripting Execution with Administrator Privileges
elasticmedium
Application Using Device Code Authentication Flow
sigmamedium
Applications That Are Using ROPC Authentication Flow
sigmamedium
ASL AWS SAML Update identity provider
splunk_escu
Attempt to Enable the Root Account
elasticmedium
Atypical Travel
sigmahigh
Authentications To Important Apps Using Single Factor Authentication
sigmamedium
AWS Access Token Used from Multiple Addresses
elasticmedium
AWS Bedrock Invoke Model Access Denied
splunk_escu
AWS CloudShell Environment Created
elasticlow
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS IAM API Calls via Temporary Session Tokens
elasticlow
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
AWS IAM OIDC Provider Created by Rare User
elasticmedium
AWS IAM SAML Provider Created
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS Key Pair Import Activity
sigmamedium
AWS Management Console Root Login
elasticmedium
AWS SAML Update identity provider
splunk_escu
AWS Sign-In Console Login with Federated User
elasticmedium
AWS Sign-In Root Password Recovery Requested
elastichigh
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS AssumeRoot by Rare User and Member Account
elasticmedium
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
AWS Suspicious User Agent Fingerprint
elasticmedium
Azure AD Multiple AppIDs and UserAgents Authentication Spike
splunk_escu
Azure AD Threat Intelligence
sigmahigh
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Automation Account Created
elasticlow
Azure Domain Federation Settings Modified
sigmamedium
Azure Kubernetes Admission Controller
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Azure Login Bypassing Conditional Access Policies
sigmahigh
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Keys Accessed by Privileged User
elasticmedium
Azure Subscription Permission Elevation Via AuditLogs
sigmahigh
Azure Unusual Authentication Interruption
sigmamedium
Cisco BGP Authentication Failures
sigmalow
Cisco IOS Suspicious Privileged Account Creation
splunk_escu
Cisco LDP Authentication Failures
sigmalow
Cisco Privileged Account Creation with HTTP Command Execution
splunk_escu
Cisco Privileged Account Creation with Suspicious SSH Activity
splunk_escu
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cloud API Calls From Previously Unseen User Roles
splunk_escu
Cloud Provisioning Activity From Previously Unseen City
splunk_escu
Cloud Provisioning Activity From Previously Unseen Country
splunk_escu
Cloud Provisioning Activity From Previously Unseen IP Address
splunk_escu
Cloud Provisioning Activity From Previously Unseen Region
splunk_escu
CyberArk Privileged Access Security Error
elastichigh
CyberArk Privileged Access Security Recommended Monitor
elastichigh
Delegated Managed Service Account Modification by an Unusual User
elastichigh
Detection of Generic User Account Usage
crowdstrike_cql
dMSA Account Creation by an Unusual User
elastichigh
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID External Guest User Invited
elasticlow
Entra ID High Risk Sign-in
elastichigh
Entra ID High Risk User Sign-in Heuristic
elasticmedium
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Flow with Concurrent Sign-ins
elastichigh
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth ROPC Grant Login Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
Entra ID Privileged Identity Management (PIM) Role Modified
elasticmedium
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Entra ID Protection Admin Confirmed Compromise
elasticcritical
Entra ID Protection Alerts for User Detected
elastichigh
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID Service Principal with Unusual Source ASN
elasticmedium
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
Entra ID User Added as Service Principal Owner
elasticlow
Entra ID User Reported Suspicious Activity
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
ESXi Account Modified
splunk_escu
ESXi External Root Login Activity
splunk_escu
ESXi Shared or Stolen Root Account
splunk_escu
ESXi User Granted Admin Role
splunk_escu
Execution with Explicit Credentials via Scripting
elasticmedium
External Remote RDP Logon from Public IP
sigmamedium
External Remote SMB Logon from Public IP
sigmahigh
External User Added to Google Workspace Group
elasticmedium
Failed Logon From Public IP
sigmamedium
First Occurrence of Okta User Session Started via Proxy
elasticmedium
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
First-Time FortiGate Administrator Login
elastichigh
FirstTime Seen Account Performing DCSync
elastichigh
FortiGate Administrator Login from Multiple IP Addresses
elastichigh
FortiGate FortiCloud SSO Login from Unusual Source
elasticmedium
FortiGate SSL VPN Login Followed by SIEM Alert by User
elasticmedium
GCP Detect gcploit framework
splunk_escu
GCP IAM Custom Role Creation
elasticmedium
Geographic Improbable Location
splunk_escu
Github Activity on a Private Repository from an Unusual IP
elasticlow
Google Cloud Kubernetes Admission Controller
sigmamedium
Google Workspace Suspended User Account Renewed
elasticlow
Guest Account Enabled Via Sysadminctl
sigmalow
Guest Users Invited To Tenant By Non Approved Inviters
sigmamedium
High Command Line Entropy Detected for Privileged Commands
elasticlow
High Number of Okta User Password Reset or Unlock Attempts
elasticmedium
Honeytoken Account Logon Activity
crowdstrike_cql
Huawei BGP Authentication Failures
sigmalow
Impossible Travel
sigmahigh
Increased Failed Authentications Of Any Type
sigmamedium
Invalid PIM License
sigmahigh
Juniper BGP Missing MD5
sigmalow
Kerberos Pre-authentication Disabled for User
elasticmedium
Kubeconfig File Creation or Modification
elasticmedium
Kubernetes Admission Controller Modification
sigmamedium
Kubernetes Anonymous Request Authorized by Unusual User Agent
elasticmedium
Kubernetes Suspicious Assignment of Controller Service Account
elasticmedium
Kubernetes Unusual Decision by User Agent
elasticlow
Logon from a Risky IP Address
sigmamedium
M365 Copilot Application Usage Pattern Anomalies
splunk_escu
M365 Copilot Session Origin Anomalies
splunk_escu
M365 Identity Login from Atypical Travel Location
elasticmedium
M365 Identity Login from Impossible Travel Location
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
M365 Identity OAuth Phishing via First-Party Microsoft Application
elasticmedium
M365 Identity Unusual SSO Authentication Errors for User
elasticmedium
M365 Identity User Account Lockouts
elasticmedium
M365 or Entra ID Identity Sign-in from a Suspicious Source
elastichigh
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
sigmahigh
Measurable Increase Of Successful Authentications
sigmalow
Microsoft 365 - Impossible Travel Activity
sigmamedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Mounting Hidden or WebDav Remote Shares
elasticmedium
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
elasticmedium
New Country
sigmahigh
O365 Multiple AppIDs and UserAgents Authentication Spike
splunk_escu
Okta Alerts Following Unusual Proxy Authentication
elastichigh
Okta Non-Standard VPN Usage
splunk_escu
Okta Risk Threshold Exceeded
splunk_escu
Okta Sign-In Events via Third-Party IdP
elasticmedium
Okta Successful Login After Credential Attack
elastichigh
Okta User Session Impersonation
elastichigh
Okta User Sessions Started from Different Geolocations
elasticmedium
OpenCanary - SSH Login Attempt
sigmahigh
OpenCanary - SSH New Connection Attempt
sigmahigh
OpenCanary - Telnet Login Attempt
sigmahigh
Password Provided In Command Line Of Net.EXE
sigmamedium
PIM Alert Setting Changes To Disabled
sigmahigh
PingID Multiple Failed MFA Requests For User
splunk_escu
Potential Account Takeover - Logon from New Source IP
elasticmedium
Potential Account Takeover - Mixed Logon Types
elasticmedium
Potential Admin Group Account Addition
elasticmedium
Potential Credential Access via DCSync
elasticmedium
Potential Hidden Local User Account Creation
elasticmedium
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Okta MFA Bombing via Push Notifications
elastichigh
Potential Privileged Escalation via SamAccountName Spoofing
elastichigh
Potential Successful SSH Brute Force Attack
elastichigh
Potential Suspicious DebugFS Root Device Access
elasticlow
Potentially Successful Okta MFA Bombing via Push Notifications
elastichigh
Rare User Logon
elasticlow
Remote Computer Account DnsHostName Update
elastichigh
Roles Activated Too Frequently
sigmahigh
Roles Activation Doesn't Require MFA
sigmahigh
Roles Are Not Being Used
sigmahigh
Roles Assigned Outside PIM
sigmahigh
Root Account Enable Via Dsenableroot
sigmamedium
Spike in Group Application Assignment Change Events
elasticlow
Spike in Group Lifecycle Change Events
elasticlow
Spike in Group Management Events
elasticlow
Spike in Group Membership Events
elasticlow
Spike in Group Privilege Change Events
elasticlow
Spike in Logon Events
elasticlow
Spike in Privileged Command Execution by a User
elasticlow
Spike in Special Logon Events
elasticlow
Spike in Special Privilege Use Events
elasticlow
Spike in Successful Logon Events from a Source IP
elasticlow
Spike in User Account Management Events
elasticlow
Spike in User Lifecycle Management Change Events
elasticlow
Stale Accounts In A Privileged Role
sigmahigh
Successful Application SSO from Rare Unknown Client Device
elasticmedium
Successful SSH Authentication from Unusual IP Address
elasticlow