T1078.002: T1078.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 21:21 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1078.002
Confidence: 100/100
Revoked: No
Published: 13/03/2020 21:21
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Domain Accounts

Platforms

windows macos linux ESXi

Description

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	initial-access
mitre-attack	persistence
mitre-attack	privilege-escalation

Marking (TLP)

External references

TechNet Credential Theft
TechNet Audit Policy
Ubuntu SSSD Docs
mitre-attack (T1078.002)
Microsoft AD Accounts

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (48)

Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda uses

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cinnamon Tempest uses DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-1314 uses TG-1314

The MITRE Corporation Confidence 100

[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Beast Ransomware uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToddyCat uses

The MITRE Corporation Confidence 100

[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera uses

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 48

SuperBlack uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HemiGate uses

Family
Rust backdoor uses

Family
Cobalt Strike uses

Family
ShadowPad - S0596 uses

Family
SSLoad uses

Family
Cactus uses

Family
BlackCat - S1068 uses

Family
FaceFish uses

Family
Latrodectus uses

The MITRE Corporation Confidence 100

[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 55

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
From edge appliance to enterprise compromise: Multi-stage Linux … related

5 CVEs 14 MITREs 2 Malwares 5 Observables
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited … related

12 CVEs 20 MITREs 1 Observable
The DragonForce Cartel: Scattered Spider at the gate related

15 MITREs 5 Malwares 1 APT
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
Investigating Iranian Intrusion into Strategic Middle East Critical … related

9 MITREs 35 Observables 1 APT
Inside BRUTED: Black Basta (RaaS) Used Automated Brute … related

10 MITREs 2 Malwares 18 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (40)

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2026-22584 targets

9.8 Critical

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …

Attack vector: NETWORK
EPSS: 0.0003 (P7.6%)
Published: 09/01/2026
Modified: 17/04/2026

Received

CVE-2024-49112 targets

9.8 Critical

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Published: 12/12/2024
Modified: 12/12/2024

Undergoing Analysis

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2026-0300 KEV targets

9.3 Critical

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …

Attack vector: Network
Complexity: Low
Published: 06/05/2026
Modified: 15/05/2026

CWE-787 Received

CVE-2025-52905 targets

7.0 High

Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Published: 23/09/2025
Modified: 24/09/2025

Awaiting Analysis

CVE-2025-53521 KEV targets

8.7 High

When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …

Attack vector: Network
Complexity: Low
Published: 15/10/2025
Modified: 04/04/2026

CWE-770 CWE-121 Received

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 4

13–24 of 40

T1078 subtechnique-of

Valid Accounts MITRE

Campaign (8)

Operation Wocao uses
Operation CuckooBees uses
Leviathan Australian Intrusions uses
Operation MidnightEclipse uses
Night Dragon uses
Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation Ghost uses

Course Of Action (4)

User Account Management mitigates
Privileged Account Management mitigates
User Training mitigates
Multi-factor Authentication mitigates

Contact About Legal notice Privacy policy Terms of use