Esc
Domain Accounts - T1078.002
(ATT&CK® Technique)
Definition
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1078002["Domain Accounts"] --> |uses| UserAccount["User Account"]; class T1078002 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1078002 href "/offensive-technique/attack/T1078.002/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078002["Domain Accounts"] --> |produces| Authentication["Authentication"]; class T1078002 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1078002 href "/offensive-technique/attack/T1078.002/"; click Authentication href "/dao/artifact/d3f:Authentication"; T1078002["Domain Accounts"] --> |produces| Authorization["Authorization"]; class T1078002 OffensiveTechniqueNode;
class Authorization ArtifactNode; click Authorization href "/dao/artifact/d3f:Authorization";
click T1078002 href "/offensive-technique/attack/T1078.002/"; click Authorization href "/dao/artifact/d3f:Authorization"; T1078002["Domain Accounts"] --> |uses| DomainUserAccount["Domain User Account"]; class T1078002 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1078002 href "/offensive-technique/attack/T1078.002/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | UserAccount["User Account"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| May Harden | T1078002["Domain Accounts"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; One-timePassword["One-time Password"] -->
| authenticates | UserAccount["User Account"];
One-timePassword["One-time Password"] -.->
| May Harden | T1078002["Domain Accounts"] ;
class One-timePassword DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class One-timePassword DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | UserAccount["User Account"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1078002["Domain Accounts"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | DomainUserAccount["Domain User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
BiometricAuthentication["Biometric Authentication"] -.->
| May Harden | T1078002["Domain Accounts"] ;
class BiometricAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| May Harden | T1078002["Domain Accounts"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | UserAccount["User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| May Evict | T1078002["Domain Accounts"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authorization["Authorization"];
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; AuthorizationEventThresholding["Authorization Event Thresholding"] -->
| analyzes | Authorization["Authorization"];
AuthorizationEventThresholding["Authorization Event Thresholding"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class AuthorizationEventThresholding DefensiveTechniqueNode;
class Authorization ArtifactNode;
click AuthorizationEventThresholding href "/technique/d3f:AuthorizationEventThresholding"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class JobFunctionAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click JobFunctionAccessPatternAnalysis href "/technique/d3f:JobFunctionAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1078002["Domain Accounts"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| May Restore | T1078002["Domain Accounts"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
UnlockAccount["Unlock Account"] -.->
| May Restore | T1078002["Domain Accounts"] ;
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";