Skip to content

DC0002 User Account Authentication

Item Value
ID DC0002
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:AUTH pam_unix or pam_google_authenticator invoked repeatedly within short interval
auditd:SYSCALL pam_authenticate, sshd
auditd:SYSCALL execution of ssh, scp, or sftp using previously unseen credentials or keys
auditd:USER_LOGIN USER_AUTH
AWS:CloudTrail AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests
AWS:CloudTrail sts:GetFederationToken
AWS:CloudTrail AssumeRoleWithWebIdentity
AWS:CloudTrail AWS IAM: ListUsers, ListRoles
AWS:CloudTrail eventName=ConsoleLogin
AWS:CloudTrail ConsoleLogin or AssumeRole
AWS:CloudTrail ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser
azure:signinlogs Success logs from high-risk accounts
azure:signinlogs Multiple MFA challenge requests without successful primary login
azure:signinlogs TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events
azure:signinlogs SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times
azure:signinlogs Operation=UserLogin
azure:signinlogs Unusual Token Usage or Application Consent
azure:signinlogs OperationName=SetDomainAuthentication OR Set-FederatedDomain
azure:signinlogs Sign-in with unfamiliar location/device + portal navigation
azure:signinlogs Login from newly created account
azure:signinlogs Interactive/Non-Interactive Sign-In
azure:signinlogs Reset password or download key from portal
azure:signinlogs status = failure
azure:signinlogs Sign-in logs
azure:signinlogs SigninSuccess
azure:signinlogs Failure Reason + UserPrincipalName
azure:signinlogs Sign-in activity
azure:signinlogs Sign-in logs / audit events
esxi:auth interactive shell or SSH access preceding storage enumeration
esxi:auth /var/log/auth.log
esxi:auth SSH session/login
esxi:vpxa user login from unexpected IP or non-admin user role
esxi:vpxd /var/log/vmware/vpxd.log
ESXiLogs:authlog Unexpected login followed by encoding commands
gcp:audit drive.activity
gcp:audit login.event
gcp:audit Sign-in logs / audit events
gcp:workspaceaudit Token Generation via Domain Delegation
GCPAuditLogs:login.googleapis.com Failed sign-in events
kubernetes:apiserver get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts
kubernetes:apiserver authentication.k8s.io/v1beta1
kubernetes:audit Failed login
kubernetes:audit authentication.k8s.io
linux:auth sshd login
linux:syslog sudo/date/timedatectl execution by non-standard users
linux:syslog SSH failed login
linux:syslog Failed password for invalid user
linux:syslog sshd[pid]: Failed password
linux:syslog authentication and authorization events during environmental validation phase
m365:exchange Logon failure
m365:exchange FailedLogin
m365:signinlogs Sign-in from anomalous location or impossible travel condition
m365:signinlogs UserLoginSuccess
m365:signinlogs Unusual sign-in from service principal to user mailbox
m365:unified Delegated permission grants without user login event
m365:unified login using refresh_token with no preceding authentication context
m365:unified Sign-in logs
macos:unifiedlog successful sudo or authentication for account not normally associated with admin actions
macos:unifiedlog Login success without MFA step
macos:unifiedlog log show –predicate ‘eventMessage contains “Authentication”’
macos:unifiedlog User credential prompt events without associated trusted installer package
macos:unifiedlog Login failure / authorization denied
macos:unifiedlog auth
macos:unifiedlog Login Window and Authd errors
macos:unifiedlog authd
network:auth repeated successful authentications with previously unknown accounts or anomalous password acceptance
networkdevice:syslog config access, authentication logs
networkdevice:syslog User privilege escalation to level 15/root prior to destructive commands
networkdevice:syslog authorization/accounting logs
networkdevice:syslog Failed and successful logins to network devices outside approved admin IP ranges
networkdevice:syslog Privileged login followed by destructive format command
networkdevice:syslog admin login events
networkdevice:syslog Privileged login followed by destructive command sequence
networkdevice:syslog AAA, RADIUS, or TACACS authentication
networkdevice:syslog authentication logs
networkdevice:syslog AAA or TACACS authentication failures
networkdevice:syslog authentication & authorization
networkdevice:syslog login failed
NSM:Connections Accepted password or publickey for user from remote IP
NSM:Connections Repeated failed authentication attempts or replay patterns
NSM:Connections Successful login without expected MFA challenge
NSM:Connections sshd or PAM logins
NSM:Flow TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process
Okta:authn authentication_failure
Okta:SystemLog eventType: user.authentication.sso, app.oauth2.token.grant
saas-app:auth login_failure
saas:audit Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies.
saas:auth signin_failed
saas:googleworkspace API access without user login
saas:googleworkspace Accessed third-party credential management service
saas:googleworkspace login with reused session token and mismatched user agent or IP
saas:googleworkspace Access via OAuth credentials with unusual scopes or from anomalous IPs
saas:okta session.impersonation.start
saas:okta Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira
saas:okta authentication_failure
saas:okta Sign-in logs / audit events
saas:salesforce API login using access_token without login history
saas:salesforce Login
User Account None
WinEventLog:Security EventCode=4625
WinEventLog:Security EventCode=4769, 1200, 1202
WinEventLog:Security EventCode=4768, 4769, 4770
WinEventLog:Security EventCode=4769
WinEventLog:Security EventCode=4776, 4625
WinEventLog:Security EventCode=4625, 4771, 4648
WinEventLog:Security EventCode=4648

Detection Strategy

ID Name Technique Detected
DET0210 Abuse of Domain Accounts T1078.002
DET0120 Account Access Removal via Multi-Platform Audit Correlation T1531
DET0186 Automated File and API Collection Detection Across Platforms T1119
DET0354 Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers T1133
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0142 Behavioral Detection of CLI Abuse on Network Devices T1059.008
DET0516 Behavioral Detection of Command and Scripting Interpreter Abuse T1059
DET0078 Behavioral Detection of Malicious Cloud API Scripting T1059.009
DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) T1550
DET0185 Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001) T1550.001
DET0463 Brute Force Authentication Failures with Multi-Platform Log Correlation T1110
DET0386 Cloud Account Enumeration via API, CLI, and Scripting Interfaces T1087.004
DET0460 Credential Stuffing Detection via Reused Breached Credentials Across Services T1110.004
DET0198 Detect Abuse of Container APIs for Credential Access T1552.007
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0272 Detect Modification of Network Device Authentication via Patched System Images T1556.004
DET0111 Detect Unsecured Credentials Shared in Chat Messages T1552.008
DET0074 Detect Use of Stolen Web Session Cookies Across Platforms T1550.004
DET0546 Detection of Abused or Compromised Cloud Accounts for Access and Persistence T1078.004
DET0291 Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access T1538
DET0465 Detection of Default Account Abuse Across Platforms T1078.001
DET0270 Detection of Domain or Tenant Policy Modifications via AD and Identity Provider T1484
DET0407 Detection of Local Account Abuse for Initial Access and Persistence T1078.003
DET0560 Detection of Valid Account Abuse Across Platforms T1078
DET0724 Detection of Valid Accounts T0859
DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts T1539
DET0108 Detection Strategy for Data Encoding in C2 Channels T1132
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0558 Detection Strategy for ESXi Hypervisor CLI Abuse T1059.012
DET0174 Detection Strategy for Exploitation for Credential Access T1212
DET0148 Detection Strategy for Forged SAML Tokens T1606.002
DET0160 Detection Strategy for Multi-Factor Authentication Request Generation (T1621) T1621
DET0233 Detection Strategy for Network Device Configuration Dump via Config Repositories T1602.002
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0156 Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs T1496.003
DET0319 Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office T1136.003
DET0515 Detection Strategy for T1528 - Steal Application Access Token T1528
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003
DET0393 Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005) T1548.005
DET0536 Detection Strategy for Wi-Fi Networks T1669
DET0487 Distributed Password Spraying via Authentication Failures Across Multiple Accounts T1110.003
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0229 Enumeration of Global Address Lists via Email Account Discovery T1087.003
DET0054 Internal Spearphishing via Trusted Accounts T1534
DET0188 Local Storage Discovery via Drive Enumeration and Filesystem Probing T1680
DET0395 macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection T1548.004
DET0484 Multi-Platform Cloud Storage Exfiltration Behavior Chain T1530
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0551 Password Guessing via Multi-Source Authentication Failure Correlation T1110.001
DET0105 Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools T1110.002
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms T1136.002