DS0002 User Account
A profile representing a user, device, service, or application used to authenticate and access resources
| Item | Value |
|---|---|
| ID | DS0002 |
| Platforms | Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Collection Layers | Cloud Control Plane, Container, Host |
| Version | 1.1 |
| Created | 20 October 2021 |
| Last Modified | 07 December 2022 |
Data Components
User Account Authentication
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
User Account Creation
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1136 | Create Account |
| enterprise | T1136.001 | Local Account |
| enterprise | T1136.002 | Domain Account |
| enterprise | T1136.003 | Cloud Account |
| enterprise | T1564 | Hide Artifacts |
| enterprise | T1564.002 | Hidden Users |
User Account Deletion
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1531 | Account Access Removal |
| enterprise | T1070 | Indicator Removal |
| enterprise | T1070.009 | Clear Persistence |
User Account Metadata
Contextual data about an account, which may include a username, user ID, environmental data, etc.
| Domain | ID | Name |
|---|---|---|
| enterprise | T1134 | Access Token Manipulation |
| enterprise | T1134.005 | SID-History Injection |
| enterprise | T1564 | Hide Artifacts |
| enterprise | T1564.002 | Hidden Users |
| enterprise | T1556 | Modify Authentication Process |
| enterprise | T1556.005 | Reversible Encryption |
| enterprise | T1201 | Password Policy Discovery |
User Account Modification
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1531 | Account Access Removal |
| enterprise | T1098 | Account Manipulation |
| enterprise | T1098.001 | Additional Cloud Credentials |
| enterprise | T1098.002 | Additional Email Delegate Permissions |
| enterprise | T1098.003 | Additional Cloud Roles |
| enterprise | T1098.005 | Device Registration |
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.008 | Disable Cloud Logs |
| enterprise | T1556 | Modify Authentication Process |
| enterprise | T1556.006 | Multi-Factor Authentication |
| enterprise | T1528 | Steal Application Access Token |
References
-
Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023. ↩
-
Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. ↩
-
Microsoft . (2022, September 16). Azure Active Directory security operations guide. Retrieved February 21, 2023. ↩
-
Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021. ↩
-
Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. ↩
-
Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. ↩
-
Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022. ↩