T1078.002: T1078.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1078.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Domain Accounts

Platforms

windows macos linux ESXi

Description

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

TechNet Credential Theft
TechNet Audit Policy
Ubuntu SSSD Docs
mitre-attack (T1078.002)
Microsoft AD Accounts

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (49)

Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda uses

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cinnamon Tempest uses DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-1314 uses TG-1314

The MITRE Corporation Confidence 100

[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Beast Ransomware uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToddyCat uses

The MITRE Corporation Confidence 100

[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera uses

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 49

SuperBlack uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
mimikatz uses

Family
HemiGate uses

Family
Rust backdoor uses

Family
Cobalt Strike uses

Family
ShadowPad - S0596 uses

Family
SSLoad uses

Family
Cactus uses

Family
BlackCat - S1068 uses

Family
FaceFish uses

Family
Latrodectus uses

Family

← Previous

Page / 7

1–12 of 80

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited … related

12 CVEs 20 MITREs 1 Observable
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
Investigating Iranian Intrusion into Strategic Middle East Critical … related

9 MITREs 35 Observables 1 APT
Inside BRUTED: Black Basta (RaaS) Used Automated Brute … related

10 MITREs 2 Malwares 18 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (40)

CVE-2024-36401 KEV targets

9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector: Network
Published: 15/07/2024
Modified: 21/12/2025

CVE-2024-49113 targets

7.5 High

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Published: 12/12/2024
Modified: 12/12/2024

Undergoing Analysis

CVE-2025-14847 KEV targets

8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector: NETWORK
Published: 19/12/2025
Modified: 26/01/2026

Awaiting Analysis

CVE-2024-2012 targets

9.1 Critical

vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code …

Published: 11/06/2024
Modified: 11/06/2024

Received

CVE-2025-52906 targets

9.3 Critical

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue …

Published: 24/09/2025
Modified: 24/09/2025

Received

CVE-2025-61955 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-21042 targets

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2021-21972 KEV targets

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-0921 targets

6.5 Medium

Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …

Attack vector: Local
Complexity: LOW
Published: 16/05/2025
Modified: 17/04/2026

CWE-250

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2024-29868 targets

9.1 Critical

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker …

Attack vector: NETWORK
Published: 24/06/2024
Modified: 21/12/2025

Awaiting Analysis

← Previous

Page / 4

1–12 of 40

T1078 subtechnique-of

Valid Accounts MITRE

Campaign (10)

Operation Wocao uses
Operation CuckooBees uses
Leviathan Australian Intrusions uses
Operation MidnightEclipse uses
Night Dragon uses
Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation Ghost uses
SolarWinds Compromise uses
Salesforce Data Exfiltration uses

Course Of Action (5)

User Account Management mitigates
Privileged Account Management mitigates
User Training mitigates
Multi-factor Authentication mitigates
Password Policies mitigates

Contact About Legal notice Privacy policy Terms of use