Valid Accounts T1078
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Events covered
35 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 67 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (82 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (266 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (65 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 18 rules
- Account renamed to admin (or likely) account to evade defense
- Account Tampering - Suspicious Failed Logon Reasons
- Admin User Remote Logon
- Azure Windows virtual machine login via serial console
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- DMSA Link Attributes Modified
- DMSA Service Account Created in Specific OUs - PowerShell
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- Lateral movement detection (based on "special groups" feature)
- Network login performed to multiple targets
- New DMSA Service Account Created in Specific OUs
- Password Provided In Command Line Of Net.EXE
- Success login attempt on a Windows OpenSSH server
- Suspicious Computer Machine Password by PowerShell
- Suspicious Remote Logon with Explicit Credentials
- User Added to Local Administrator Group
Elastic 14 rules
- Access to a Sensitive LDAP Attribute
- Account Discovery Command via SYSTEM Account
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Delegated Managed Service Account Modification by an Unusual User
- dMSA Account Creation by an Unusual User
- First Time Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Mounting Hidden or WebDav Remote Shares
- Potential Account Takeover - Logon from New Source IP
- Potential Account Takeover - Mixed Logon Types
- Potential Credential Access via DCSync
- Potential Privileged Escalation via SamAccountName Spoofing
- Remote Computer Account DnsHostName Update
Splunk 23 rules
- Account set to active via Net.exe (EDR)
- Account set to active via Net.exe (Sysmon)
- Account set to active via Net.exe (Windows Event Log)
- Multiple Host logons (Windows Event Log)
- Rubeus Password Change (Windows Event Log)
- Short Lived Windows Accounts
- Suspicious Computer Account Name Change
- Suspicious Kerberos Service Ticket Request
- Suspicious Ticket Granting Ticket Request
- Unusual Number of Computer Service Tickets Requested
- Unusual Number of Remote Endpoint Authentication Events
- Windows Azure PowerShell Module Installation Via PowerShell Script
- Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
- Windows Entra User Management Via Azure CLI
- Windows Group Policy Object Created
- Windows Guest Account Enabled Via Net.EXE
- Windows Large Number of Computer Service Tickets Requested
- Windows Multiple Account Passwords Changed
- Windows Multiple Accounts Deleted
- Windows Multiple Accounts Disabled
- Windows PowerView AD Access Control List Enumeration
- WMIC Explicit Credentials (Sysmon)
- WMIC Explicit Credentials (Windows Event Log)
Kusto 12 rules
- Account added and removed from privileged groups
- AdminSDHolder Modifications
- EatonForeseer - Unauthorized Logins
- Email access via active sync
- Group created then added to built in domain local or global group
- Multiple Password Reset by user
- New user created and added to the built-in administrators group
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- User account added to built in domain local or global group
- User account created and deleted within 10 mins
- User account enabled and disabled within 10 mins
- User login from different countries within 3 hours (Uses Authentication Normalization)