Skip to content

DET0560 Detection of Valid Account Abuse Across Platforms

Item Value
ID DET0560
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1078 (Valid Accounts)

Analytics

Windows

AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624
User Account Authentication (DC0002) WinEventLog:Security EventCode=4776, 4625
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
LogonType Flag unexpected logon types (e.g., Type 10 for remote interactive logins) for sensitive accounts.
TimeWindow Define acceptable hours for interactive logon activity (e.g., 9AM-6PM local).
GeoIPMismatch Trigger on location anomalies based on prior user behavior or policy.

Linux

AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
User Account Authentication (DC0002) NSM:Connections sshd or PAM logins
Mutable Elements
Field Description
UserContext Identify logins to root or sudoers not aligned with normal usage profiles.
HostDensityThreshold Number of unique systems a user authenticates to in a time window.
LoginMethod Trigger on rarely used access methods such as password instead of SSH key.

macOS

AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) macos:unifiedlog loginwindow, sshd
Process Creation (DC0032) macos:unifiedlog exec logs
Mutable Elements
Field Description
LoginOrigin Login sourced from unexpected remote addresses.
ProcessTreeDepth Track execution depth or anomalous chains post-login.

Identity Provider

AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) saas:okta Sign-in logs / audit events
Mutable Elements
Field Description
MFAFailureCount Threshold of failed MFA attempts before alerting.
RiskScoreThreshold Custom threshold based on calculated identity risk.
IPGeoVelocity Detect impossible travel (logins from two distant geolocations within short time).

Containers

AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) kubernetes:audit authentication.k8s.io
Mutable Elements
Field Description
ServiceAccountScope Validate access from expected namespaces only.
ClusterIPWhitelist Permit kubeconfig usage from a limited set of IPs.