MITRE ATT&CK Technique
Defense Evasion
T1078.002
Description
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.
Supported Platforms
ESXi
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-13T20:21:54.758Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may obtain and abuse credentials of a domain '
'account as a means of gaining Initial Access, Persistence, '
'Privilege Escalation, or Defense Evasion.(Citation: TechNet '
'Credential Theft) Domain accounts are those managed by Active '
'Directory Domain Services where access and permissions are '
'configured across systems and services that are part of that '
'domain. Domain accounts can cover users, administrators, and '
'services.(Citation: Microsoft AD Accounts)\n'
'\n'
'Adversaries may compromise domain accounts, some with a high '
'level of privileges, through various means such as [OS '
'Credential '
'Dumping](https://attack.mitre.org/techniques/T1003) or '
'password reuse, allowing access to privileged resources of '
'the domain.',
'external_references': [{'external_id': 'T1078.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1078/002'},
{'description': 'Microsoft. (2016, April 15). '
'Attractive Accounts for Credential '
'Theft. Retrieved June 3, 2016.',
'source_name': 'TechNet Credential Theft',
'url': 'https://technet.microsoft.com/en-us/library/dn535501.aspx'},
{'description': 'Microsoft. (2016, April 15). Audit '
'Policy Recommendations. Retrieved '
'June 3, 2016.',
'source_name': 'TechNet Audit Policy',
'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'},
{'description': 'Microsoft. (2019, August 23). Active '
'Directory Accounts. Retrieved March '
'13, 2020.',
'source_name': 'Microsoft AD Accounts',
'url': 'https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts'},
{'description': 'Ubuntu. (n.d.). SSSD. Retrieved '
'September 23, 2021.',
'source_name': 'Ubuntu SSSD Docs',
'url': 'https://ubuntu.com/server/docs/service-sssd'}],
'id': 'attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:49:21.034Z',
'name': 'Domain Accounts',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jon Sternstein, Stern Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.5'}