Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1857: Analytic 1857

Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

ICSAN1857AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because abuse of valid accounts can look like normal business activity while enabling initial access, persistence, privilege escalation, defense evasion, or lateral movement. For security leaders, the key question is whether authentication activity can be correlated with physical access, VPN access, system usage, and account context well enough to identify impossible or unlikely user behavior.

Executive priority

Prioritize this as an identity and SOC readiness issue: if the organization cannot explain who logged in, from where, when, and whether that access aligns with expected business activity, incident responders may struggle to separate normal operations from credential misuse. It also supports audit and resilience conversations around privileged, service, shared, and remote access accounts, especially where simultaneous or out-of-hours use could indicate material control gaps.

Technical view

SOC and detection teams should validate monitoring for authentication attempts and logon behavior across systems, with correlation to other security systems where available. The supplied ATT&CK description highlights suspicious patterns such as one account logged into multiple systems simultaneously, multiple accounts logged into the same machine, accounts active at odd times or outside business hours, and account activity inconsistent with building entry or VPN access. Because no ATT&CK platforms, tactics, or formal detection logic are supplied, local architecture must determine data sources, thresholds, and tuning.

Likely telemetry

  • Authentication and logon events
  • Account session activity across multiple systems
  • VPN access logs
  • Physical access or building entry records
  • Process ownership or remote execution records tied to user, admin, or service accounts

Detection direction

  • Validate whether authentication events can be correlated across systems rather than reviewed in isolation.
  • Tune for abnormal concurrency, such as one account active on multiple systems or multiple accounts active on one system.
  • Compare login activity with VPN and physical access context where those records exist.
  • Baseline expected hours and locations for high-value, admin, shared, and service accounts before alerting aggressively.
  • Account for false positives from legitimate administrative work, scheduled tasks, service accounts, shift work, and remote support activity.

Mitigation priorities

  • Start by inventorying shared, admin, and service accounts that could weaken attribution.
  • Ensure authentication, VPN, and relevant physical access logs are retained and accessible to SOC and IR workflows.
  • Reduce unnecessary shared account use and strengthen governance for privileged and service accounts.
  • Define expected account usage patterns, including business hours, allowed access paths, and systems normally accessed.
  • Use findings from detection tuning to guide identity control improvements and incident response playbooks.
Analyst notes and limits

This Glexia take is based on the supplied ATT&CK analytic description for AN1857. The most decision-relevant point is correlation: authentication activity becomes more useful when joined with VPN, physical access, session, and account context. The object has no supplied relationship context, tactics, platforms, or official detection block beyond the description, so implementation must be environment-specific.

No platforms, tactics, relationships, or detailed official detection logic were supplied. This summary does not assert active exploitation, adversary attribution, customer exposure, or guaranteed detection coverage. Local log availability, account model, and business process context are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 1857

Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
51e5b030f968f792...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 51e5b030f968…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1857
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use