Detecting valid account abuse for privilege escalation (T1078)

What is T1078 — Valid accounts for privilege escalation?

MITRE ATT&CK® T1078 covers the use of legitimate credentials to perform actions within an environment. As a privilege escalation technique, it specifically describes scenarios where an attacker who has already gained initial access with limited privileges uses additionally obtained credentials for higher-privilege accounts to elevate their access within the environment.

The critical distinction: T1078 privilege escalation requires no vulnerability, no exploit, and no malware. The attacker simply is the privileged account, or gains the privileges legitimately through identity infrastructure abuse. This makes it extraordinarily difficult to detect without behavioral baselines and comprehensive user behavior analytics covering every identity activity across the environment.

How attackers escalate privileges via valid accounts

Valid account abuse for privilege escalation takes several distinct forms, each with a different log footprint and different detection approach:

Active Directory group membership manipulation

After gaining initial access, an attacker with write permissions to an AD group obtained through misconfigured ACLs, delegation abuse, or compromised accounts can add themselves or a backdoor account to a privileged group such as Domain Admins, Enterprise Admins, or Local Administrators. The account immediately inherits all rights associated with the group. Event IDs 4728, 4732, and 4756 capture these changes, but only if AD auditing is configured at the appropriate granularity. Preventing credential stuffing and lateral movement requires catching these group changes in real time before the attacker acts on elevated access.

PIM role activation abuse (Microsoft 365)

Azure AD Privileged Identity Management (PIM) allows eligible accounts to activate high-privilege roles (Global Administrator, Privileged Role Administrator) on demand, without permanently holding those roles. An attacker who compromises an account with PIM eligibility can activate the role, perform privileged actions in M365 or Azure, and deactivate the role creating a narrow window of elevated privilege that may be missed if alert thresholds are set too high. Log360 detects all PIM role configuration changes

Cloud IAM role assumption (AWS)

In AWS, attackers who obtain access keys for an IAM user with sts:AssumeRole permissions can assume a higher-privilege IAM role, temporarily acquiring that role's permissions. Combined with the IAM user's own permissions, this can achieve near-administrative access. AWS CloudTrail captures role assumption events, and Log360's AWS integration surfaces anomalous assumption patterns.

Service account credential abuse

Service accounts often have elevated privileges (read/write to file systems, execute-as rights, database access) that are broader than required. If attackers compromise a service account through kerberoasting, credential dumping, or weak password exploitation they may immediately have privileges beyond what a standard user account provides. Log360 detects unusual interactive logons from service accounts, which are a strong indicator of this abuse pattern. Tools like Mimikatz are commonly used to extract service account credentials from memory, making LSASS process monitoring a key detection layer.

Privilege escalation scenarios using T1078

Detection indicators for T1078

Because T1078 uses legitimate authentication mechanisms, detection depends on identifying what is unusual rather than what is malicious by signature. The primary detection vectors are:

• Privileged group membership changes: Any account added to Domain Admins, Enterprise Admins, Local Administrators, or other sensitive groups should trigger immediate investigation. Legitimate changes should be traceable to an approved change request.
• Privileged account authentication from unusual contexts: Admin accounts logging in from workstations they have never accessed, from unexpected geographic locations, or outside normal business hours are strong T1078 behavioral indicators.
• PIM role activations without expected context: PIM activations from accounts lacking a concurrent change management ticket, or activations for roles the account has only used infrequently, warrant investigation.
• Service account interactive logons: Service accounts performing interactive (Type 2) logons instead of their expected network or service logon types indicate credential theft and lateral use.
• Multiple group elevation actions in quick succession: An account adding itself or another account to multiple privileged groups within minutes is a strong indicator of automated privilege escalation scripts.

Log360 detection rules for T1078

Investigation steps

1. Identify who made the change: For group membership alerts, check Event ID 4728/4732/4756 for the actor account (the account that performed the modification), not just the target account. Verify whether the actor account is authorized to make group changes.
2. Correlate with change management records: Was there an approved ticket authorizing this privilege change at this time? Unauthorized changes or changes outside the approved window are high-confidence malicious indicators.
3. Check the source workstation: Is the change originating from a privileged administration workstation (PAW) or from a standard desktop? Admin group changes from standard desktops are a strong indicator of compromise.
4. Review the actor account's recent activity: In Log360's user activity dashboard, examine the actor account's logon history for the past 24-72 hours. Look for logons from new IPs or unusual locations preceding the group change this may indicate the actor account itself was compromised.
5. Check for persistence mechanisms in parallel: T1078 escalation is often used in conjunction with persistence techniques. In the same timeframe, look for new scheduled tasks (T1053), new services (T1543), or new user accounts being created.
6. For cloud (M365/AWS) alerts: Review the full API call sequence in Log360's cloud activity logs. What actions did the elevated account take after the PIM activation or role assumption? Was data accessed, exported, or new credentials provisioned?

Response playbook

• Revert unauthorized privilege changes: Immediately remove any unauthorized group memberships. If an account was added to Domain Admins, remove it and review whether it was used to make any further changes while elevated.
• Disable or isolate the actor account: The account that performed the unauthorized privilege change is likely compromised. Disable it pending investigation and force a password reset with MFA re-enrollment once cleared.
• Review all actions taken with the elevated privileges: If the escalation succeeded, the attacker had elevated privileges for a period. Audit all actions taken by the elevated account in that window files accessed, processes launched, outbound connections made.
• Rotate credentials for affected accounts: Both the elevated account and the actor account should have passwords rotated. For domain admin compromise, follow the AD compromise recovery procedure including krbtgt account rotation.
• Audit delegated permissions and ACLs: T1078 often exploits overly permissive ACL delegation. After containment, audit AD for accounts with unexpected permissions to modify group memberships, reset passwords, or modify user attributes. Use user identity mapping to ensure all service accounts and privileged accounts are inventoried with their effective permissions clearly documented.
• Review PIM eligibility assignments (M365): Tighten PIM eligibility lists, implement approval workflows for high-privilege roles, and enforce activation time limits to reduce the blast radius of future T1078 exploitation. Integrate Log360's risk posture management to continuously assess identity risk and surface accounts that have accumulated excessive privileges over time.

Explore related privilege escalation detection guides

Frequently asked questions