Skip to content

DS0002 User Account

A profile representing a user, device, service, or application used to authenticate and access resources

Item Value
ID DS0002
Platforms Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers Cloud Control Plane, Container, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)

Domain ID Name
enterprise T1110 Brute Force
enterprise T1110.001 Password Guessing
enterprise T1110.002 Password Cracking
enterprise T1110.003 Password Spraying
enterprise T1110.004 Credential Stuffing
enterprise T1538 Cloud Service Dashboard
enterprise T1606 Forge Web Credentials
enterprise T1606.002 SAML Tokens
enterprise T1070 Indicator Removal on Host
enterprise T1070.003 Clear Command History
enterprise T1070.005 Network Share Connection Removal
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1207 Rogue Domain Controller
enterprise T1552 Unsecured Credentials
enterprise T1552.005 Cloud Instance Metadata API
enterprise T1552.007 Container API
enterprise T1550 Use Alternate Authentication Material
enterprise T1550.002 Pass the Hash
enterprise T1550.003 Pass the Ticket
enterprise T1078 Valid Accounts
enterprise T1078.001 Default Accounts
enterprise T1078.002 Domain Accounts
enterprise T1078.003 Local Accounts
enterprise T1078.004 Cloud Accounts

User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

Domain ID Name
enterprise T1136 Create Account
enterprise T1136.001 Local Account
enterprise T1136.002 Domain Account
enterprise T1136.003 Cloud Account
enterprise T1564 Hide Artifacts
enterprise T1564.002 Hidden Users

User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

Domain ID Name
enterprise T1531 Account Access Removal

User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Domain ID Name
enterprise T1134 Access Token Manipulation
enterprise T1134.005 SID-History Injection
enterprise T1564 Hide Artifacts
enterprise T1564.002 Hidden Users
enterprise T1201 Password Policy Discovery

User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

Domain ID Name
enterprise T1531 Account Access Removal
enterprise T1098 Account Manipulation
enterprise T1098.001 Additional Cloud Credentials
enterprise T1098.002 Additional Email Delegate Permissions
enterprise T1098.003 Additional Cloud Roles
enterprise T1098.005 Device Registration
enterprise T1528 Steal Application Access Token


Back to top