Initial Access (TA0001)

Sub-technique: T1078.001 - Default Accounts

Objective: Detect unauthorised access using default accounts.

Default Account Logins

IdentityLogonEvents
| where AccountName in ("Administrator", "Guest", "root")
| summarize event_count = count() by AccountName, DeviceName, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count
| order by event_count desc

Purpose: Monitor login events using default accounts.

Detect Administrator Account Usage

IdentityLogonEvents
| where AccountName == "Administrator"
| summarize event_count = count() by DeviceName, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, DeviceName, event_count
| order by event_count desc

Purpose: Identify unusual usage of the Administrator account.

Guest Account Logins

IdentityLogonEvents
| where AccountName == "Guest"
| summarize event_count = count() by DeviceName, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, DeviceName, event_count
| order by event_count desc

Purpose: Detect any use of the Guest account.

Multiple Failed Login Attempts for Default Accounts

IdentityLogonEvents
| where AccountName in ("Administrator", "Guest", "root") and ActionType == "LogonFailed"
| summarize event_count = count() by AccountName, DeviceName, IPAddress, DestinationDeviceName, DestinationPort, DestinationIPAddress, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count, IPAddress, DestinationDeviceName, DestinationPort, DestinationIPAddress
| order by event_count desc

Purpose: Identify failed login attempts for default accounts.

Detect Unauthorized Access Attempts to Default Accounts

IdentityLogonEvents 
| where AccountName in ("Administrator", "Guest") and LogonType != "Local"
| summarize event_count = count() by AccountName, DeviceName, IPAddress, DestinationDeviceName, DestinationPort, DestinationIPAddress, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count, IPAddress, DestinationDeviceName, DestinationPort, DestinationIPAddress
| order by event_count desc

Purpose: Detect remote access attempts to default accounts.

Logins from Multiple IPs for Default Accounts

IdentityLogonEvents
| where AccountName in ("Administrator", "Guest")
| summarize event_count = count() by AccountName, IPAddress, TimeGenerated, DeviceName, LogonType
| where event_count > 1
| project AccountName, IPAddress, event_count, TimeGenerated, DeviceName, LogonType
| order by event_count desc

Purpose: Identify default account logins from multiple IPs.

Identify Default Accounts with Elevated Privileges

IdentityLogonEvents
| where AccountName in ("Administrator", "Guest", "root") and ActionType == "LogonFailed"
| summarize event_count = count() by AccountName, IPAddress, DeviceName, LogonType, AccountDomain, OSPlatform, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, IPAddress, event_count, DeviceName, LogonType, AccountDomain, OSPlatform
| order by event_count desc

Purpose: Monitor default accounts for elevation to administrative privileges.

Detect Default Account Creation

IdentityDirectoryEvents
| where ActionType == "NewUserCreated" and AccountName in ("Administrator", "Guest")
| summarize event_count = count() by AccountName, DeviceName, AccountDomain, ActionType, DestinationDeviceName,DestinationIPAddress, Application, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count, AccountDomain, ActionType, DestinationDeviceName,DestinationIPAddress, Application
| order by event_count desc

Purpose: Identify the creation of default accounts.

Detect Changes to Default Account Permissions

IdentityDirectoryEvents
| where ActionType == "UserAccountControlChanged" and AccountName in ("Administrator", "Guest")
| summarize event_count = count() by AccountName, DeviceName, AccountDomain, ActionType, DestinationDeviceName,DestinationIPAddress, Application, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count, AccountDomain, ActionType, DestinationDeviceName,DestinationIPAddress, Application
| order by event_count desc

Purpose: Monitor for permission changes to default accounts.

Detect Default Account Logins During Off-Hours

IdentityLogonEvents
| where AccountName in ("Administrator", "Guest") and (toint(format_datetime(TimeGenerated, 'HH')) < 6 or toint(format_datetime(TimeGenerated, 'HH')) > 18)
| summarize event_count = count() by AccountName, DeviceName, IPAddress, LogonType, AccountDomain, OSPlatform, bin(TimeGenerated, 1h)
| where event_count > 1
| project TimeGenerated, AccountName, DeviceName, event_count, IPAddress, LogonType, AccountDomain, OSPlatform
| order by event_count desc

Purpose: Identify off-hour logins using default accounts.

PreviousReconnaissance (TA0043)NextExecution (TA0002)

Last updated 10 months ago