Valid Accounts T1078

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Events covered

35 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4634An account was logged off.
Security-AuditingEvent ID 4647User initiated logoff.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4675SIDs were filtered.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4722A user account was enabled.
Security-AuditingEvent ID 4723An attempt was made to change an account's password.
Security-AuditingEvent ID 4724An attempt was made to reset an account's password.
Security-AuditingEvent ID 4725A user account was disabled.
Security-AuditingEvent ID 4726A user account was deleted.
Security-AuditingEvent ID 4727A security-enabled global group was created.
Security-AuditingEvent ID 4728A member was added to a security-enabled global group.
Security-AuditingEvent ID 4729A member was removed from a security-enabled global group.
Security-AuditingEvent ID 4731A security-enabled local group was created.
Security-AuditingEvent ID 4732A member was added to a security-enabled local group.
Security-AuditingEvent ID 4733A member was removed from a security-enabled local group.
Security-AuditingEvent ID 4738A user account was changed.
Security-AuditingEvent ID 4742A computer account was changed.
Security-AuditingEvent ID 4754A security-enabled universal group was created.
Security-AuditingEvent ID 4756A member was added to a security-enabled universal group.
Security-AuditingEvent ID 4757A member was removed from a security-enabled universal group.
Security-AuditingEvent ID 4768A Kerberos authentication ticket (TGT) was requested.
Security-AuditingEvent ID 4769A Kerberos service ticket was requested.
Security-AuditingEvent ID 4776The domain controller attempted to validate the credentials for an account.
Security-AuditingEvent ID 4781The name of an account was changed.
Security-AuditingEvent ID 4964Special groups have been assigned to a new logon.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5137A directory service object was created.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 67 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (82 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID29eq 24, in 51, 4104, 4624, 4688, 4728
Channel10eq 10, in 10
eventtype10eq 10
LogonType7eq 6, in 1Network, RemoteInteractive, Interactive
AccountType6eq 6User
CommandLine6contains 6, ends_with 1, in 1, match 1, regex_match 1 , use , user, *az.cmd*, *azure.cli*
TargetSid6regex_match 3, eq 2, ends_with 1S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]..., S-1-5-32-5[0-9][0-9]$, S-1-5-32-544, -500
TargetUserName6ne 2, starts_with 2, ends_with 1, is_not_null 1*$, $, Admin, Administr
process_name6eq 3, ends_with 2, contains 1net1.exe, \cmd.exe, \net.exe, \net1.exe, \sshd.exe
ScriptBlockText5contains 4, in 1*install-module -name aadinternals*, *install-module -name az.resources*, *install-module -name azuread*, -createdelegatedserviceaccount, -path
src_ip5cidr_match 3, eq 3, contains 1, is_not_null 1, ne 1-, 10.0.0.0/8, 127.0.0.0/8, 127.0.0.1, %admin_jump_hosts%
EventType4eq 4logged-in, changed-computer-account, renamed-user-account
OldTargetUserName4ends_with 2, eq 2, starts_with 1*$, $, -adm, -admin, <customer pattern>
OriginalFileName4eq 4net1.exe, net.exe, powershell.exe, powershell_ise.exe, pwsh.dll
AttributeLDAPDisplayName3eq 3displayname, dsheuristics, gpcfilesyspath, msds-managedaccountprecededbylink

Top indicator values (266 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
AccountTypeeq
User
69
EventIDeq
1
3232
EventIDeq
4104
3268
EventIDeq
4688
3312
EventIDeq
4769
310
EventIDeq
4624
226
EventIDeq
4720
25
EventIDeq
4725
22
EventIDeq
4726
22
EventIDin
4728
34
EventIDin
4732
34
EventIDin
4756
34
LogonTypeeq
Network
339
OriginalFileNameeq
net1.exe
343
TargetSidregex_match
S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102...
33
TargetSidregex_match
S-1-5-32-5[0-9][0-9]$
33
process_nameeq
net1.exe
334
src_ipcidr_match
10.0.0.0/8
34
src_ipcidr_match
127.0.0.0/8
36
src_ipcidr_match
169.254.0.0/16
35
src_ipcidr_match
172.16.0.0/12
34
src_ipcidr_match
192.168.0.0/16
34
src_ipcidr_match
::1/128
34
src_ipcidr_match
fc00::/7
34
src_ipcidr_match
fe80::/10
34
statuseq
success
33
unique_usersgt
5
33
Esql.max_logonge
1000
22
Esql.min_logonge
1
22
Esql.unique_host_countge
2
22

Exclusions (65 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
SubjectUserNameends_with
$
4
src_ipcidr_match
10.0.0.0/8
3
src_ipcidr_match
127.0.0.0/8
3
src_ipcidr_match
169.254.0.0/16
3
src_ipcidr_match
172.16.0.0/12
3
src_ipcidr_match
192.168.0.0/16
3
src_ipcidr_match
::1/128
3
src_ipcidr_match
fc00::/7
3
src_ipcidr_match
fe80::/10
3
EventDatacontains
s-1-5-32-555
2
SubjectUserNamestarts_with
MSOL_
2
TargetSideq
S-1-5-32-555
2
TargetUserNameends_with
$
2
src_ipeq
-
2
AccessMaskin
0x0
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 18 rules

Elastic 14 rules

Splunk 23 rules

Kusto 12 rules