T1078.002: T1078.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:21 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1078.002
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:21
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Domain Accounts

Platforms

windows macos linux ESXi

Description

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

TechNet Credential Theft
TechNet Audit Policy
Ubuntu SSSD Docs
mitre-attack (T1078.002)
Microsoft AD Accounts

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (48)

Helldown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jumpy Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius uses Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1132 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tycoon Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Bakunawa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silent Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackJack uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 48

SuperBlack uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HemiGate uses

Family
Rust backdoor uses

Family
Cobalt Strike uses

Family
ShadowPad - S0596 uses

Family
SSLoad uses

Family
Cactus uses

Family
BlackCat - S1068 uses

Family
FaceFish uses

Family
Latrodectus uses

The MITRE Corporation Confidence 100

[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 55

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited … related

12 CVEs 20 MITREs 1 Observable
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
Investigating Iranian Intrusion into Strategic Middle East Critical … related

9 MITREs 35 Observables 1 APT
Inside BRUTED: Black Basta (RaaS) Used Automated Brute … related

10 MITREs 2 Malwares 18 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (40)

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2026-22584 targets

9.8 Critical

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …

Attack vector: NETWORK
EPSS: 0.0003 (P7.6%)
Published: 09/01/2026
Modified: 17/04/2026

Received

CVE-2024-49112 targets

9.8 Critical

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Published: 12/12/2024
Modified: 12/12/2024

Undergoing Analysis

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2026-0300 KEV targets

9.3 Critical

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …

Attack vector: Network
Complexity: Low
Published: 06/05/2026
Modified: 15/05/2026

CWE-787 Received

CVE-2025-52905 targets

7.0 High

Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Published: 23/09/2025
Modified: 24/09/2025

Awaiting Analysis

CVE-2025-53521 KEV targets

8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector: Network
Complexity: Low
Published: 15/10/2025
Modified: 04/04/2026

CWE-770 CWE-121 Received

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 4

13–24 of 40

T1078 subtechnique-of

Valid Accounts MITRE

Campaign (8)

Operation Wocao uses
Operation CuckooBees uses
Leviathan Australian Intrusions uses
Operation MidnightEclipse uses
Night Dragon uses
Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation Ghost uses

Course Of Action (4)

User Account Management mitigates
Privileged Account Management mitigates
User Training mitigates
Multi-factor Authentication mitigates

Contact About Legal notice Privacy policy Terms of use