ATT&CK coverage › Technique

Valid Accounts: Domain Accounts `T1078.002`

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Events covered

11 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4662	An operation was performed on an object.
Security-Auditing	4738	A user account was changed.
Security-Auditing	4742	A computer account was changed.
Security-Auditing	4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	4769	A Kerberos service ticket was requested.
Security-Auditing	4781	The name of an account was changed.
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5137	A directory service object was created.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 19 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (22 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventID`	5	`eq` 5	`4781`, `4769`, `4768`, `5137`, `5136`
`Properties`	3	`match` 3	`1131f6ad-9c07-11d1-f79f-00c04fc2dcd2`, `1131f6aa-9c07-11d1-f79f-00c04fc2dcd2`, `DS-Replication-Get-Changes-In-Filtered-Set`, `b7ff5a38-0818-42b0-8110-d3d154c97f24`, `612cb747-c0e8-4f92-9221-fdd5f15b550d`
`AttributeLDAPDisplayName`	3	`eq` 3	`dSHeuristics`, `msDS-ManagedAccountPrecededByLink`, `displayName`, `gPCFileSysPath`
`OldTargetUserName`	3	`eq` 2, `ends_with` 1	`"*$"`, `$`
`ScriptBlockText`	3	`match` 2, `eq` 1	`CN=`, `.Put("msDS-ManagedAccountPrecededByLink`, `New-ADServiceAccount`, `-path`, `-CreateDelegatedServiceAccount`
`AttributeValue`	2	`match` 1, `ne` 1	`[0-9]{15}([1-9a-f]).*`, `"New Group Policy Object"`
`ObjectClass`	2	`eq` 2	`msDS-DelegatedManagedServiceAccount`, `groupPolicyContainer`
`EventType`	2	`eq` 2	`renamed-user-account`, `changed-computer-account`
`user`	2	`starts_with` 1, `ne` 1	`Admin`, `"*$"`
`NewTargetUserName`	2	`ne` 2	`"*$"`
`ObjectDN`	1	`starts_with` 1	`CN=AdminSDHolder,CN=System`
`NewUACList`	1	`eq` 1	`USER_DONT_REQUIRE_PREAUTH`
`AccessMask`	1	`eq` 1	`0x100`
`user.id`	1	`starts_with` 1	`S-1-12-1-`, `S-1-5-21-`
`DnsHostName`	1	`starts_with` 1	`??`

Top indicator values (57 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`Properties`	`match`	`DS-Replication-Get-Changes-In-Filtered-Set`	2
`Properties`	`match`	`DS-Replication-Get-Changes-All`	2
`Properties`	`match`	`1131f6ad-9c07-11d1-f79f-00c04fc2dcd2`	2	2
`Properties`	`match`	`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2`	2	2
`Properties`	`match`	`89e95b76-444d-4c62-991a-0facbeda640c`	2	2
`Properties`	`match`	`DS-Replication-Get-Changes`	2
`OldTargetUserName`	`eq`	`"*$"`	2	2
`EventID`	`eq`	`4781`	2	2
`NewTargetUserName`	`ne`	`"*$"`	2	2
`Properties`	`match`	`612cb747-c0e8-4f92-9221-fdd5f15b550d`	1
`Properties`	`match`	`b7ff5a38-0818-42b0-8110-d3d154c97f24`	1
`Properties`	`match`	`b3f93023-9239-4f7c-b99c-6745d87adbc2`	1
`Properties`	`match`	`b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7`	1
`ObjectDN`	`starts_with`	`CN=AdminSDHolder,CN=System`	1
`AttributeLDAPDisplayName`	`eq`	`dSHeuristics`	1
`AttributeValue`	`match`	`[0-9]{15}([1-9a-f]).*`	1
`AttributeLDAPDisplayName`	`eq`	`msDS-ManagedAccountPrecededByLink`	1
`ObjectClass`	`eq`	`msDS-DelegatedManagedServiceAccount`	1
`NewUACList`	`eq`	`USER_DONT_REQUIRE_PREAUTH`	1
`AccessMask`	`eq`	`0x100`	1	3

Common exclusions (6 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`user`	`ends_with`	`$`	2
`user`	`starts_with`	`MSOL_`	2
`AccessMask`	`in`	`0x0`	1
`SubjectUserSid`	`eq`	`S-1-5-18`	1
`AccessMask`	`in`	`0x100`	1
`NewTargetUserName`	`ends_with`	`$`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Admin User Remote Logon severity low, 1 event, 3 indicators, 0 exclusions
DMSA Link Attributes Modified severity low, 1 event, 2 indicators, 0 exclusions
DMSA Service Account Created in Specific OUs - PowerShell severity medium, 1 event, 3 indicators, 0 exclusions
New DMSA Service Account Created in Specific OUs severity medium, 1 event, 9 indicators, 0 exclusions

Elastic 10 rules

Access to a Sensitive LDAP Attribute 1 event, 4 indicators, 2 exclusions
AdminSDHolder Backdoor 1 event, 1 indicator, 0 exclusions
AdminSDHolder SDProp Exclusion Added 1 event, 2 indicators, 0 exclusions
Delegated Managed Service Account Modification by an Unusual User 1 event, 1 indicator, 0 exclusions
dMSA Account Creation by an Unusual User 1 event, 1 indicator, 0 exclusions
FirstTime Seen Account Performing DCSync 1 event, 6 indicators, 2 exclusions
Kerberos Pre-authentication Disabled for User 1 event, 1 indicator, 0 exclusions
Potential Credential Access via DCSync 1 event, 7 indicators, 2 exclusions
Potential Privileged Escalation via SamAccountName Spoofing 1 event, 2 indicators, 1 exclusion
Remote Computer Account DnsHostName Update 1 event, 4 indicators, 1 exclusion

Splunk 5 rules

Suspicious Computer Account Name Change 1 event, 3 indicators, 0 exclusions
Suspicious Kerberos Service Ticket Request 1 event, 2 indicators, 0 exclusions
Suspicious Ticket Granting Ticket Request 2 events, 6 indicators, 0 exclusions
Windows Group Policy Object Created 2 events, 6 indicators, 0 exclusions
Windows PowerView AD Access Control List Enumeration 1 event, 3 indicators, 0 exclusions

Valid Accounts: Domain Accounts T1078.002