Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)
The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-03 | Information Exchange | Protects | T1078 | Valid Accounts | |
| SC-43 | Usage Restrictions | Protects | T1078 | Valid Accounts | |
| SC-07 | Boundary Protection | Protects | T1078 | Valid Accounts | |
| CM-07 | Least Functionality | Protects | T1078 | Valid Accounts | |
| AC-02 | Account Management | Protects | T1078 | Valid Accounts | |
| AC-03 | Access Enforcement | Protects | T1078 | Valid Accounts | |
| AC-05 | Separation of Duties | Protects | T1078 | Valid Accounts | |
| AC-06 | Least Privilege | Protects | T1078 | Valid Accounts | |
| CA-07 | Continuous Monitoring | Protects | T1078 | Valid Accounts | |
| CM-05 | Access Restrictions for Change | Protects | T1078 | Valid Accounts | |
| CM-06 | Configuration Settings | Protects | T1078 | Valid Accounts | |
| IA-12 | Identity Proofing | Protects | T1078 | Valid Accounts | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1078 | Valid Accounts | |
| IA-05 | Authenticator Management | Protects | T1078 | Valid Accounts | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1078 | Valid Accounts | |
| SA-10 | Developer Configuration Management | Protects | T1078 | Valid Accounts | |
| SA-11 | Developer Testing and Evaluation | Protects | T1078 | Valid Accounts | |
| SA-15 | Development Process, Standards, and Tools | Protects | T1078 | Valid Accounts | |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1078 | Valid Accounts | |
| SA-03 | System Development Life Cycle | Protects | T1078 | Valid Accounts | |
| SA-04 | Acquisition Process | Protects | T1078 | Valid Accounts | |
| SA-08 | Security and Privacy Engineering Principles | Protects | T1078 | Valid Accounts | |
| SC-28 | Protection of Information at Rest | Protects | T1078 | Valid Accounts | |
| SI-04 | System Monitoring | Protects | T1078 | Valid Accounts | |
| SR-06 | Supplier Assessments and Reviews | Protects | T1078 | Valid Accounts | |
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1078 | Valid Accounts |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Valid Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.
License Requirements:
Microsoft 365 E3 and E5
References
|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1078 | Valid Accounts |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, reducing the potential actions that can be taken with Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary can take if a Valid Account has been compromised, it does not protect against different variations of the technique's procedure. Due to overall Minimal coverage, it receives an overall score of Minimal.
License Requirements:
ME-ID Built-in Roles (Free)
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-PWP-E3 | Password Policy | Technique Scores | T1078 | Valid Accounts |
Comments
Accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1078 | Valid Accounts |
Comments
The PIM control supports an Access Review feature, which can partially be used to avoid stale role assignment for Valid Accounts: Cloud Accounts. The control does not protect against this technique's other sub-techniques, resulting in a Minimal coverage score, for an overall score of Minimal.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
| ME-PP-E3 | Password Protection | Technique Scores | T1078 | Valid Accounts |
Comments
Accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.
License Requirements:
Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2
References
|
| ME-IP-E5 | Identity Protection | Technique Scores | T1078 | Valid Accounts |
Comments
Accounts should have complex and unique passwords across all systems on the network. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.
License Requirements:
Microsoft Entra ID P2
References
|
| ME-CAE-E3 | Conditional Access Evaluation | Technique Scores | T1078 | Valid Accounts |
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:
User Account is deleted or disabled
Password for a user is changed or reset
Multifactor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Microsoft Entra ID Protection
License Requirements:
Continuous access evaluation will be included in all versions of Microsoft 365.
References
|
| ME-CA-E5 | Conditional Access | Technique Scores | T1078 | Valid Accounts |
Comments
Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1078 | Valid Accounts |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1078 | Valid Accounts |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1078 | Valid Accounts |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1078 | Valid Accounts |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to valid account attacks due to Incident Response monitoring for newly constructed logon behavior that may obtain and abuse credentials of existing accounts.
License Requirements:
Microsoft Defender XDR
References
|
| DO365-AG-E5 | App Governance | Technique Scores | T1078 | Valid Accounts |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Valid Account attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1078 | Valid Accounts |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1078 | Valid Accounts |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Valid Account attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1078 | Valid Accounts |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1078.001 | Default Accounts | 17 |
| T1078.002 | Domain Accounts | 12 |
| T1078.004 | Cloud Accounts | 33 |
| T1078.003 | Local Accounts | 19 |