User Account

A profile representing a user, device, service, or application used to authenticate and access resources

ID: DS0002
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Container, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)

Domain ID Name
Enterprise T1110 Brute Force
.001 Password Guessing
.002 Password Cracking
.003 Password Spraying
.004 Credential Stuffing
Enterprise T1538 Cloud Service Dashboard
Enterprise T1070 Indicator Removal on Host
.005 Network Share Connection Removal
Enterprise T1207 Rogue Domain Controller
Enterprise T1552 Unsecured Credentials
.005 Cloud Instance Metadata API
.007 Container API
Enterprise T1550 Use Alternate Authentication Material
.002 Pass the Hash
.003 Pass the Ticket
Enterprise T1078 Valid Accounts
.001 Default Accounts
.002 Domain Accounts
.003 Local Accounts
.004 Cloud Accounts

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

Domain ID Name
Enterprise T1136 Create Account
.001 Local Account
.002 Domain Account
.003 Cloud Account
Enterprise T1564 Hide Artifacts
.002 Hidden Users

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

Domain ID Name
Enterprise T1531 Account Access Removal

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Domain ID Name
Enterprise T1134 Access Token Manipulation
.005 SID-History Injection
Enterprise T1087 Account Discovery
.003 Email Account
.004 Cloud Account
Enterprise T1564 Hide Artifacts
.002 Hidden Users
Enterprise T1201 Password Policy Discovery

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

Domain ID Name
Enterprise T1531 Account Access Removal
Enterprise T1098 Account Manipulation
.001 Additional Cloud Credentials
.002 Exchange Email Delegate Permissions
.003 Add Office 365 Global Administrator Role
Enterprise T1528 Steal Application Access Token