detection.wiki

Valid Accounts: Default Accounts T1078.001

Tactics: Stealth, Persistence, Privilege Escalation, Initial Access

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Events covered

4 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4688A new process has been created.
ESFexecProcess Execution (Notify)

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4contains 4, regex_match 1 -d , -guestaccount, on, /active:yes, [A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}
EventID2eq 21, 4688
Image2ends_with 2/dsenableroot, /sysadminctl
data_stream.dataset2eq 2kubernetes.audit_logs
eventType2eq 2user.account.report_suspicious_activity_by_enduser, user.authentication.auth_via_mfa
eventtype2eq 2
kubernetes.audit.annotations.authorization_k8s_io/decision2eq 2allow
sourcetype2eq 2OktaIM2:log
All_Changes.action1eq 1created
All_Changes.command1eq 1system.api_token.create
AuthenticationPackageName1eq 1Negotiate
AwsSecurityFindingGeneratorId1eq 1security-control/IAM.1
ComplianceSecurityControlId1eq 1IAM.1
ComplianceStatus1eq 1FAILED
GRANTEE_NAME1eq 1public

Top indicator values (41 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
data_stream.dataseteq
kubernetes.audit_logs
236
kubernetes.audit.annotations.authorization_k8s_io/decisioneq
allow
223
sourcetypeeq
OktaIM2:log
212
All_Changes.actioneq
created
111
All_Changes.commandeq
system.api_token.create
1
AuthenticationPackageNameeq
Negotiate
14
AwsSecurityFindingGeneratorIdeq
security-control/IAM.1
1
CommandLinecontains
-d
18
CommandLinecontains
-guestaccount
1
CommandLinecontains
on
1
CommandLinecontains
/active:yes
1
CommandLinecontains
_+_publicsharinguser_
1
CommandLinecontains
guest
1
CommandLinecontains
qlogin
12
CommandLinecontains
user
12
CommandLineregex_match
[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}
1
ComplianceSecurityControlIdeq
IAM.1
1
ComplianceStatuseq
FAILED
18
EventIDeq
1
1237
EventIDeq
4688
1313
GRANTEE_NAMEeq
public
1
Imageends_with
/dsenableroot
1
Imageends_with
/sysadminctl
13
LogonTypeeq
RemoteInteractive
18
OriginalFileNameeq
net1.exe
144
RecordStateeq
ACTIVE
18
TargetUserNamestarts_with
Admin
1
eventTypeeq
user.account.report_suspicious_activity_by_enduser
12
eventTypeeq
user.authentication.auth_via_mfa
16
event_typein
childproc
127

Exclusions (16 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
-d
1
aws::userAgentends_with
kubernetes/$Format
1
kubernetes.audit.requestObject.spec.containers.imagecontains
amazonaws.com/eks/snapshot-controller
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
docker.io/bitnami/sealed-secrets-controller
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
exoscale/csi-driver
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
mirror.gcr.io/aquasec/trivy
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
public.ecr.aws/eks/aws-load-balancer-controller
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
rancher/mirrored-sig-storage-snapshot-controller
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
registry.k8s.io/autoscaling/vpa-admission-controller
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
registry.k8s.io/sig-storage/csi-attacher
1
kubernetes.audit.requestObject.spec.containers.imagestarts_with
registry.k8s.io/sig-storage/csi-provisioner
1
kubernetes.audit.requestURIeq
/.well-known/oauth-authorization-server
1
kubernetes.audit.requestURIeq
/version
1
kubernetes.audit.requestURIstarts_with
/healthz
1
kubernetes.audit.requestURIstarts_with
/livez
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules

Elastic 2 rules

Splunk 7 rules

Kusto 1 rule

Panther 1 rule