attack.t1078.001

Admin User Remote Logon

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.lateral-movement attack.initial-access attack.stealth attack.t1078.001 attack.t1078.002 attack.t1078.003 car.2016-04-005 ·

Share on:

Detect remote login by Administrator user (depending on internal pattern).

Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.initial-access attack.stealth attack.t1078.001 detection.emerging-threats cve.2025-57788 ·

Share on:

Detects a qlogin.exe command attempting to authenticate as the internal _+_PublicSharingUser_ using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

Guest Account Enabled Via Sysadminctl

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.initial-access attack.stealth attack.t1078 attack.t1078.001 ·

Share on:

Detects attempts to enable the guest account using the sysadminctl utility

Root Account Enable Via Dsenableroot

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.t1078 attack.t1078.001 attack.t1078.003 attack.initial-access attack.persistence ·

Share on:

Detects attempts to enable the root account via "dsenableroot"