T1078.002 Domain Accounts Mappings

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1078.002 Domain Accounts
AC-20 Use of External Systems Protects T1078.002 Domain Accounts
AC-3 Access Enforcement Protects T1078.002 Domain Accounts
AC-5 Separation of Duties Protects T1078.002 Domain Accounts
AC-6 Least Privilege Protects T1078.002 Domain Accounts
AC-7 Unsuccessful Logon Attempts Protects T1078.002 Domain Accounts
CM-5 Access Restrictions for Change Protects T1078.002 Domain Accounts
CM-6 Configuration Settings Protects T1078.002 Domain Accounts
IA-12 Identity Proofing Protects T1078.002 Domain Accounts
IA-2 Identification and Authentication (organizational Users) Protects T1078.002 Domain Accounts
IA-5 Authenticator Management Protects T1078.002 Domain Accounts
SI-4 System Monitoring Protects T1078.002 Domain Accounts
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1078.002 Valid Accounts: Domain Accounts
aws_single_sign-on AWS Single Sign-On technique_scores T1078.002 Domain Accounts
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References