detection.wiki

ATT&CK coverage › Technique

Valid Accounts T1078

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Events covered

25 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4634An account was logged off.
Security-Auditing4647User initiated logoff.
Security-Auditing4648A logon was attempted using explicit credentials.
Security-Auditing4662An operation was performed on an object.
Security-Auditing4675SIDs were filtered.
Security-Auditing4688A new process has been created.
Security-Auditing4720A user account was created.
Security-Auditing4722A user account was enabled.
Security-Auditing4724An attempt was made to reset an account's password.
Security-Auditing4725A user account was disabled.
Security-Auditing4726A user account was deleted.
Security-Auditing4728A member was added to a security-enabled global group.
Security-Auditing4732A member was added to a security-enabled local group.
Security-Auditing4738A user account was changed.
Security-Auditing4742A computer account was changed.
Security-Auditing4756A member was added to a security-enabled universal group.
Security-Auditing4769A Kerberos service ticket was requested.
Security-Auditing4776The domain controller attempted to validate the credentials for an account.
Security-Auditing4781The name of an account was changed.
Security-Auditing5136A directory service object was modified.
Security-Auditing5137A directory service object was created.
PowerShell4103Payload Context: ContextInfo User Data: UserData.

Authoring guide

Patterns shared across the 35 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (46 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID8eq 7, in 14624, 4769, 5136, 4625, 4675
user6ne 3, ends_with 2, is_not_null 1, starts_with 1$, "*$", Administr, "*$*"
EventType5eq 5logged-in, renamed-user-account, changed-computer-account, Logon
LogonType4eq 3, in 13, RemoteInteractive, Network, 10
Properties3match 31131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, DS-Replication-Get-Changes-In-Filtered-Set, b7ff5a38-0818-42b0-8110-d3d154c97f24, 612cb747-c0e8-4f92-9221-fdd5f15b550d
src_ip3cidr_match 3, eq 2, match 110.0.0.0/8, -, ::1/128
unique_users3gt 35
status3eq 3success
AttributeLDAPDisplayName2eq 2dSHeuristics, msDS-ManagedAccountPrecededByLink
event.category2eq 2authentication
event.outcome2eq 2success
Esql.min_logon2ge 2, le 21, 5, 10
Esql.unique_host_count2ge 22
Esql.max_logon2ge 21000
process_name2match 1, ends_with 1Foreseer, \wmic.exe, \pwsh.exe, \net1.exe

Top indicator values (110 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
src_ipcidr_match192.168.0.0/1633
src_ipcidr_match172.16.0.0/1233
src_ipcidr_match::1/12834
src_ipcidr_matchfc00::/734
src_ipcidr_match127.0.0.0/834
src_ipcidr_match169.254.0.0/1634
src_ipcidr_matchfe80::/1034
src_ipcidr_match10.0.0.0/833
unique_usersgt533
statuseqsuccess33
PropertiesmatchDS-Replication-Get-Changes-In-Filtered-Set2
PropertiesmatchDS-Replication-Get-Changes-All2
Propertiesmatch1131f6ad-9c07-11d1-f79f-00c04fc2dcd222
Propertiesmatch1131f6aa-9c07-11d1-f79f-00c04fc2dcd222
Propertiesmatch89e95b76-444d-4c62-991a-0facbeda640c22
PropertiesmatchDS-Replication-Get-Changes2
Esql.max_logonge100022
EventTypeeqlogged-in27
event.categoryeqauthentication25
event.outcomeeqsuccess28

Common exclusions (17 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userends_with$3
userstarts_withMSOL_2
AccessMaskin0x01
SubjectUserSideqS-1-5-181
AccessMaskin0x1001
user.idinS-1-5-181
user.idinS-1-5-191
user.idinS-1-5-201
NewTargetUserNameends_with$1
userinjanedoe1
userinjohndoe1
TargetUserTypeinApplication1
TargetUserTypeinServicePrincipal1
TargetUserTypeinService1
TargetUserTypeinMachine1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 8 rules

Elastic 12 rules

Splunk 6 rules

Kusto Query Language 9 rules