T1078.002: T1078.002

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:21 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1078.002
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:21
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Domain Accounts

Platforms

windows macos linux ESXi

Description

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

TechNet Credential Theft
TechNet Audit Policy
Ubuntu SSSD Docs
mitre-attack (T1078.002)
Microsoft AD Accounts

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (48)

Helldown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Jumpy Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius uses Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1132 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tycoon Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Bakunawa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silent Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackJack uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 48

SuperBlack uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HemiGate uses

Family
Rust backdoor uses

Family
Cobalt Strike uses

Family
ShadowPad - S0596 uses

Family
SSLoad uses

Family
Cactus uses

Family
BlackCat - S1068 uses

Family
FaceFish uses

Family
Latrodectus uses

The MITRE Corporation Confidence 100

[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 55

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited … related

12 CVEs 20 MITREs 1 Observable
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
Investigating Iranian Intrusion into Strategic Middle East Critical … related

9 MITREs 35 Observables 1 APT
Inside BRUTED: Black Basta (RaaS) Used Automated Brute … related

10 MITREs 2 Malwares 18 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (40)

CVE-2024-50623 KEV targets

9.8 Critical

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …

Attack vector: Network
Published: 13/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-53868 targets

8.5 High

When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …

Attack vector: Network
Published: 15/10/2025
Modified: 04/02/2026

Received

CVE-2023-33538 KEV targets

8.8 High

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …

Attack vector: Network
Published: 16/06/2025
Modified: 21/12/2025

CVE-2025-32433 KEV targets

10.0 Critical

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …

Attack vector: Network
Published: 09/06/2025
Modified: 27/05/2026

Received

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2021-22005 KEV targets

VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2025-23304 targets

7.8 High

NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …

Attack vector: LOCAL
Published: 13/08/2025
Modified: 17/04/2026

Awaiting Analysis

CVE-2025-33073 KEV targets

8.8 High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …

Attack vector: Network
Published: 20/10/2025
Modified: 27/05/2026

Received

← Previous

Page / 4

25–36 of 40

T1078 subtechnique-of

Valid Accounts MITRE

Campaign (8)

Operation Wocao uses
Operation CuckooBees uses
Leviathan Australian Intrusions uses
Operation MidnightEclipse uses
Night Dragon uses
Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation Ghost uses

Course Of Action (4)

User Account Management mitigates
Privileged Account Management mitigates
User Training mitigates
Multi-factor Authentication mitigates

Contact About Legal notice Privacy policy Terms of use