1. Home
  2. Techniques
  3. Enterprise
  4. Valid Accounts
  5. Domain Accounts

Valid Accounts: Domain Accounts

ID Name
T1078.001 Default Accounts
T1078.002 Domain Accounts
T1078.003 Local Accounts
T1078.004 Cloud Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.[1] Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.[2]

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

ID: T1078.002
Sub-technique of:  T1078
Platforms: ESXi, Linux, Windows, macOS
Contributors: Jon Sternstein, Stern Security
Version: 1.5
Created: 13 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1030 Agrius

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.[3]
G0022 APT3

APT3 leverages valid accounts after gaining credentials for use within the victim domain.[4]
G1023 APT5

APT5 has used legitimate account credentials to move laterally through compromised environments.[5]
G0143 Aquatic Panda

Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.[6]
G1043 BlackByte

BlackByte captured credentials for or impersonated domain administration users.[7][8]
G0114 Chimera

Chimera has used compromised domain accounts to gain access to the target environment.[9]
G1021 Cinnamon Tempest

Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.[10]
S0154 Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.[11][12][13]
S1024 CreepySnail

CreepySnail can use stolen credentials to authenticate on target networks.[14]
C0029 Cutting Edge

During Cutting Edge, threat actors used compromised VPN accounts for lateral movement on targeted networks.[15]
G0119 Indrik Spider

Indrik Spider has collected credentials from infected systems, including domain accounts.[16]
C0049 Leviathan Australian Intrusions

Leviathan compromised domain credentials during Leviathan Australian Intrusions.[17]
G0059 Magic Hound

Magic Hound has used domain administrator accounts after dumping LSASS process memory.[18]
G0019 Naikon

Naikon has used administrator credentials for lateral movement in compromised networks.[19]
C0002 Night Dragon

During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[20]
G0049 OilRig

OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.[21]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.[22]

C0023 Operation Ghost

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[23]
C0048 Operation MidnightEclipse

During Operation MidnightEclipse, threat actors used a compromised domain admin account to move laterally.[24]
C0014 Operation Wocao

During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.[25]
G1040 Play

Play has used valid domain accounts for access.[26]
S0446 Ryuk

Ryuk can use stolen domain admin accounts to move laterally within a victim domain.[27]
C0059 Salesforce Data Exfiltration

During Salesforce Data Exfiltration, threat actors used compromised credentials for lateral movement.[28][29]
G0034 Sandworm Team

Sandworm Team has used stolen credentials to access administrative accounts within the domain.[30][31]
S0140 Shamoon

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[32][33]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.[34]
S0603 Stuxnet

Stuxnet attempts to access network resources with a domain account’s credentials.[35]
G0092 TA505

TA505 has used stolen domain admin accounts to compromise additional hosts.[36]
G0028 Threat Group-1314

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.[37]
G1022 ToddyCat

ToddyCat has used compromised domain admin credentials to mount local network shares.[38]
G1017 Volt Typhoon

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.[39][40][41]
G0102 Wizard Spider

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[42]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
M1027 Password Policies

Implement and enforce strong password policies for domain accounts to ensure passwords are complex, unique, and regularly rotated. This reduces the likelihood of password guessing, credential stuffing, and other attack methods that rely on weak or static credentials.
M1026 Privileged Account Management

Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.
M1018 User Account Management

Regularly review and manage domain accounts to ensure that only active, necessary accounts exist. Remove or disable inactive and unnecessary accounts to reduce the risk of adversaries abusing these accounts to gain unauthorized access or move laterally within the network.
M1017 User Training

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0210 Abuse of Domain Accounts AN0590

Detection of suspicious logon behavior using valid domain accounts across multiple hosts, off-hours, or simultaneous sessions from geographically distant locations.
AN0591

Use of domain accounts via sssd or winbind for logon activity outside of typical patterns, especially on sensitive systems or with lateral movement tools.
AN0592

Domain logins using network accounts or mobile accounts via Open Directory or Active Directory plugins, especially outside business hours or on atypical endpoints.
AN0593

Login to vSphere or ESXi hosts using domain accounts, especially those associated with vpxuser or unexpected group memberships.

References

  1. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  2. Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.
  3. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  4. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  5. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  6. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  7. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  8. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  9. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  10. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  11. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  12. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  13. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  14. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  15. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  16. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  17. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  18. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  19. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  20. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  21. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  1. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  2. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  3. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  4. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  5. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  6. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
  7. FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025.
  8. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.
  9. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  10. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  11. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
  12. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  13. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  14. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  15. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  16. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  17. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  18. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  19. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  20. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  21. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.