Esc
Domain Accounts - T1078.002
(ATT&CK® Technique)
Definition
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1078002["Domain Accounts"] --> |uses| UserAccount["User Account"]; class T1078002 OffensiveTechniqueNode; class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount"; click T1078002 href "/offensive-technique/attack/T1078.002/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078002["Domain Accounts"] --> |uses| DomainUserAccount["Domain User Account"]; class T1078002 OffensiveTechniqueNode; class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; click T1078002 href "/offensive-technique/attack/T1078.002/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; UserAccountPermissions["User Account Permissions"] --> | restricts | UserAccount["User Account"]; UserAccountPermissions["User Account Permissions"] -.-> | may-isolate | T1078002["Domain Accounts"] ; class UserAccountPermissions DefensiveTechniqueNode; class UserAccount ArtifactNode; click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] --> | restricts | DomainUserAccount["Domain User Account"]; class UserAccountPermissions DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; AgentAuthentication["Agent Authentication"] --> | strengthens | UserAccount["User Account"]; AgentAuthentication["Agent Authentication"] -.-> | may-harden | T1078002["Domain Accounts"] ; class AgentAuthentication DefensiveTechniqueNode; class UserAccount ArtifactNode; click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] --> | strengthens | DomainUserAccount["Domain User Account"]; class AgentAuthentication DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click AgentAuthentication href "/technique/d3f:AgentAuthentication"; DomainAccountMonitoring["Domain Account Monitoring"] --> | monitors | DomainUserAccount["Domain User Account"]; DomainAccountMonitoring["Domain Account Monitoring"] -.-> | may-detect | T1078002["Domain Accounts"] ; class DomainAccountMonitoring DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; AccountLocking["Account Locking"] --> | disables | UserAccount["User Account"]; AccountLocking["Account Locking"] -.-> | may-evict | T1078002["Domain Accounts"] ; class AccountLocking DefensiveTechniqueNode; class UserAccount ArtifactNode; click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] --> | disables | DomainUserAccount["Domain User Account"]; class AccountLocking DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click AccountLocking href "/technique/d3f:AccountLocking"; RestoreUserAccountAccess["Restore User Account Access"] --> | restores | UserAccount["User Account"]; RestoreUserAccountAccess["Restore User Account Access"] -.-> | may-restore | T1078002["Domain Accounts"] ; class RestoreUserAccountAccess DefensiveTechniqueNode; class UserAccount ArtifactNode; click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] --> | restores | DomainUserAccount["Domain User Account"]; class RestoreUserAccountAccess DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UnlockAccount["Unlock Account"] --> | restores | UserAccount["User Account"]; UnlockAccount["Unlock Account"] -.-> | may-restore | T1078002["Domain Accounts"] ; class UnlockAccount DefensiveTechniqueNode; class UserAccount ArtifactNode; click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] --> | restores | DomainUserAccount["Domain User Account"]; class UnlockAccount DefensiveTechniqueNode; class DomainUserAccount ArtifactNode; click UnlockAccount href "/technique/d3f:UnlockAccount";