T1078.002 Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1078.002 Domain Accounts
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.PS-06.01 Secure SDLC process Mitigates T1078.002 Domain Accounts
    Comments
    This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
    References
      PR.AA-05.02 Privileged system access Mitigates T1078.002 Domain Accounts
      Comments
      This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1078.002 Domain Accounts
        Comments
        This diagnostic statement protects against Domain Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.PS-01.07 Cryptographic keys and certificates Mitigates T1078.002 Domain Accounts
          Comments
          This diagnostic statement protects against Valid Accounts: Domain Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
          References
            PR.AA-05.03 Service accounts Mitigates T1078.002 Domain Accounts
            Comments
            This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).
            References
              DE.CM-03.03 Privileged account monitoring Mitigates T1078.002 Domain Accounts
              Comments
              This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
              References
                PR.AA-01.02 Physical and logical access Mitigates T1078.002 Domain Accounts
                Comments
                This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
                References
                  PR.AA-03.01 Authentication requirements Mitigates T1078.002 Domain Accounts
                  Comments
                  This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1078.002 Domain Accounts
                    Comments
                    This diagnostic statement protects against Domain Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References

                      GCP Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      advanced_protection_program Advanced Protection Program technique_scores T1078.002 Domain Accounts
                      Comments
                      Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
                      References
                      cloud_identity Cloud Identity technique_scores T1078.002 Domain Accounts
                      Comments
                      This control can be used to mitigate malicious attacks of domain accounts by implementing multi-factor authentication techniques or password policies.
                      References

                      AWS Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      aws_single_sign-on AWS Single Sign-On technique_scores T1078.002 Domain Accounts
                      Comments
                      This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
                      References