Valid Accounts: Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.[1] Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.[2]

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

ID: T1078.002
Sub-technique of:  T1078
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, User
Contributors: Jon Sternstein, Stern Security
Version: 1.3
Created: 13 March 2020
Last Modified: 13 April 2023

Procedure Examples

ID Name Description
G0022 APT3

APT3 leverages valid accounts after gaining credentials for use within the victim domain.[3]

G0114 Chimera

Chimera has used compromised domain accounts to gain access to the target environment.[4]

S0154 Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.[5][6][7]

S1024 CreepySnail

CreepySnail can use stolen credentials to authenticate on target networks.[8]

G0119 Indrik Spider

Indrik Spider has collected credentials from infected systems, including domain accounts.[9]

G0059 Magic Hound

Magic Hound has used domain administrator accounts after dumping LSASS process memory.[10]

G0019 Naikon

Naikon has used administrator credentials for lateral movement in compromised networks.[11]

C0002 Night Dragon

During Night Dragon, threat actors used domain accounts to gain further access to victim systems.[12]

C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.[13]

C0023 Operation Ghost

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.[14]

C0014 Operation Wocao

During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.[15]

S0446 Ryuk

Ryuk can use stolen domain admin accounts to move laterally within a victim domain.[16]

G0034 Sandworm Team

Sandworm Team has used stolen credentials to access administrative accounts within the domain.[17][18]

S0140 Shamoon

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.[19][20]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.[21]

S0603 Stuxnet

Stuxnet attempts to access network resources with a domain account’s credentials.[22]

G0092 TA505

TA505 has used stolen domain admin accounts to compromise additional hosts.[23]

G0028 Threat Group-1314

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.[24]

G0102 Wizard Spider

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[25]


ID Mitigation Description
M1032 Multi-factor Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

M1026 Privileged Account Management

Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.

M1017 User Training

Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.


ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

Logon Session Metadata

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

DS0002 User Account User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux

Detection Notes

  • For Windows, Security Logs events, including Event ID 4624, can be monitored to track user login behavior.
  • For Linux, auditing frameworks that support File Integrity Monitoring (FIM), including the audit daemon (auditd), can be used to alert on changes to files that store login information. These files include: /etc/login.defs, /etc/securetty, /var/log/faillog, /var/log/lastlog, /var/log/tallylog.
  • For MacOS, auditing frameworks that support capturing information on user logins, such as OSQuery, can be used to audit user account logins and authentications.


  1. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  2. Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.
  3. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  4. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  6. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  7. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  8. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  9. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  10. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  11. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  12. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  13. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.