Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0210: Abuse of Domain Accounts

Abuse of domain accounts matters because a valid domain credential can make attacker activity look like normal business activity. Even though this ATT&CK d...

EnterpriseDET0210Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Abuse of domain accounts matters because a valid domain credential can make attacker activity look like normal business activity. Even though this ATT&CK detection strategy has no official detection text or platform list, its relationship to Domain Accounts (T1078.002) ties it to initial access, persistence, privilege escalation, and stealth across domain-managed environments. For leaders, the practical question is whether the organization can distinguish legitimate domain account use from suspicious use before the account becomes a durable foothold.

Executive priority

Prioritize this as an identity and resilience issue, not just an endpoint alerting issue. Domain accounts can include users, administrators, and services, so weak monitoring or governance can affect incident containment, audit evidence, privilege control, and business continuity. Executives should ask whether SOC, IAM, and incident response teams have usable evidence for domain logons, privilege use, account changes, and service account activity, and whether high-value accounts receive stronger review and response handling.

Technical view

Because the detection strategy object does not provide official detection logic, teams should validate coverage against the related technique T1078.002: abuse of Active Directory Domain Services accounts for initial access, persistence, privilege escalation, or stealth. Detection engineering should focus on behavioral baselining and correlation of domain authentication, authorization, account administration, and host access events. IR teams should ensure investigations can reconstruct which domain account authenticated, from where, to which systems or services, with what privileges, and whether the pattern differs from expected user, admin, or service account behavior.

Likely telemetry

  • Domain controller authentication and logon events
  • Account management and group membership change logs
  • Privileged account and administrative action logs
  • Service account authentication and service access records
  • Endpoint logon/session evidence from Windows, Linux, macOS, and ESXi where domain accounts are used

Detection direction

  • Validate that domain account activity is correlated across identity, endpoint, and network telemetry rather than reviewed as isolated logon events.
  • Tune for deviations from expected account behavior, such as unusual source systems, unusual target systems, atypical times, unexpected privilege use, or abnormal service account interactive activity.
  • Separate baselines for standard users, administrators, and service accounts; false positives are likely if all domain accounts are treated the same.
  • Use relationship context from T1078.002 to look for account abuse supporting initial access, persistence, privilege escalation, or stealth, not only failed logons or obvious brute force patterns.
  • Check blind spots where systems accept domain credentials but do not forward usable logs to the SOC, including non-Windows platforms named in the related technique context.

Mitigation priorities

  • Inventory domain users, administrators, and service accounts, and identify high-risk or broadly privileged accounts first.
  • Enforce least privilege and regular review of group memberships and delegated rights for domain accounts.
  • Apply stronger authentication and access controls to privileged and remote-accessible domain accounts where supported by the environment.
  • Reduce service account risk through ownership, purpose documentation, constrained permissions, and monitoring for abnormal use.
  • Ensure domain controller, directory, endpoint, and remote access logs are retained and available for investigation and compliance evidence.
Analyst notes and limits

The source object is a detection strategy named Abuse of Domain Accounts, but it does not include an official description, detection text, tactics, or platforms. The practical guidance therefore relies on the explicit relationship showing that this strategy detects T1078.002 Domain Accounts, whose supplied context covers Active Directory Domain Services accounts and tactics including initial access, persistence, privilege escalation, and stealth.

ATT&CK does not provide detection logic, data sources, or object-specific platforms for DET0210 in the supplied fields. Local architecture, identity provider design, logging configuration, account inventory, and normal business behavior are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Abuse of Domain Accounts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1078.002 Domain Accounts Sub-technique This object detects Domain Accounts.
Relationship explorer

All related ATT&CK context

detects · Technique T1078.002: Domain Accounts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2a93370a7b6b379d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2a93370a7b6b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0210
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use