EXPLORE
Sign In
← Back to Explore
T1078.002

Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain acc...

ESXiLinuxmacOSWindows
26
Detections
3
Sources
18
Threat Actors

BY SOURCE

15elastic6splunk_escu5sigma

PROCEDURES (23)

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (18)

AgriusAPT3APT5Aquatic PandaBlackByteChimeraCinnamon TempestIndrik SpiderMagic HoundNaikonOilRigPlaySandworm TeamTA505Threat Group-1314ToddyCatVolt TyphoonWizard Spider

DETECTIONS (26)

Access to a Sensitive LDAP Attribute
elasticmedium
Admin User Remote Logon
sigmalow
AdminSDHolder Backdoor
elastichigh
AdminSDHolder SDProp Exclusion Added
elastichigh
Delegated Managed Service Account Modification by an Unusual User
elastichigh
Detect Excessive Account Lockouts From Endpoint
splunk_escu
dMSA Account Creation by an Unusual User
elastichigh
DMSA Link Attributes Modified
sigmalow
DMSA Service Account Created in Specific OUs - PowerShell
sigmamedium
FirstTime Seen Account Performing DCSync
elastichigh
Kerberos Pre-authentication Disabled for User
elasticmedium
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
sigmahigh
New DMSA Service Account Created in Specific OUs
sigmamedium
Potential Credential Access via DCSync
elasticmedium
Potential Privileged Escalation via SamAccountName Spoofing
elastichigh
Rare User Logon
elasticlow
Remote Computer Account DnsHostName Update
elastichigh
Spike in Special Logon Events
elasticlow
Spike in Successful Logon Events from a Source IP
elasticlow
Suspicious Computer Account Name Change
splunk_escu
Suspicious Kerberos Service Ticket Request
splunk_escu
Suspicious Ticket Granting Ticket Request
splunk_escu
Unusual Windows User Privilege Elevation Activity
elasticlow
Unusual Windows Username
elasticlow
Windows Group Policy Object Created
splunk_escu
Windows PowerView AD Access Control List Enumeration
splunk_escu