1. Home
  2. ATT&CK Techniques
  3. T1078 Valid Accounts

T1078 Valid Accounts Mappings

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1078 Valid Accounts
AC-3 Access Enforcement Protects T1078 Valid Accounts
AC-5 Separation of Duties Protects T1078 Valid Accounts
AC-6 Least Privilege Protects T1078 Valid Accounts
CA-7 Continuous Monitoring Protects T1078 Valid Accounts
CA-8 Penetration Testing Protects T1078 Valid Accounts
CM-5 Access Restrictions for Change Protects T1078 Valid Accounts
CM-6 Configuration Settings Protects T1078 Valid Accounts
IA-12 Identity Proofing Protects T1078 Valid Accounts
IA-2 Identification and Authentication (organizational Users) Protects T1078 Valid Accounts
IA-5 Authenticator Management Protects T1078 Valid Accounts
PL-8 Security and Privacy Architectures Protects T1078 Valid Accounts
RA-5 Vulnerability Monitoring and Scanning Protects T1078 Valid Accounts
SA-10 Developer Configuration Management Protects T1078 Valid Accounts
SA-11 Developer Testing and Evaluation Protects T1078 Valid Accounts
SA-12 Supply Chain Protection Protects T1078 Valid Accounts
SA-15 Development Process, Standards, and Tools Protects T1078 Valid Accounts
SA-16 Developer-provided Training Protects T1078 Valid Accounts
SA-17 Developer Security and Privacy Architecture and Design Protects T1078 Valid Accounts
SA-3 System Development Life Cycle Protects T1078 Valid Accounts
SA-4 Acquisition Process Protects T1078 Valid Accounts
SA-8 Security and Privacy Engineering Principles Protects T1078 Valid Accounts
SC-28 Protection of Information at Rest Protects T1078 Valid Accounts
SI-4 System Monitoring Protects T1078 Valid Accounts
azure_ad_identity_protection Azure AD Identity Protection technique_scores T1078 Valid Accounts
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk
  2. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
  3. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
  4. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328
azure_ad_identity_protection Azure AD Identity Protection technique_scores T1078 Valid Accounts
Comments
This control provides a response capability that accompanies its detection capability that can contain and eradicate the impact of this technique. Because this capability varies between containment (federated accounts) and eradication (cloud accounts) and is only able to respond to some of this technique's sub-techniques, it has been scored as Partial.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk
  2. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
  3. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
  4. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1078 Valid Accounts
Comments
This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1078 Valid Accounts
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
azure_defender_for_storage Azure Defender for Storage technique_scores T1078 Valid Accounts
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage
azure_sentinel Azure Sentinel technique_scores T1078 Valid Accounts
Comments
This control provides partial coverage for all of this technique's sub-techniques and a number of its procedures, resulting in an overall score of Partial.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication technique_scores T1078 Valid Accounts
Comments
This control only protects cloud accounts and therefore its overall protection coverage is Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
role_based_access_control Role Based Access Control technique_scores T1078 Valid Accounts
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples (due to being specific to Azure AD) nor its remaining sub-technqiues. Consequently its coverage score factor is Minimal, resulting in a Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB technique_scores T1078 Valid Accounts
Comments
This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account".
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections
  3. https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection
azure_policy Azure Policy technique_scores T1078 Valid Accounts
Comments
References
  1. https://docs.microsoft.com/en-us/azure/governance/policy/overview
  2. https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
azure_ad_privileged_identity_management Azure AD Privileged Identity Management technique_scores T1078 Valid Accounts
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database technique_scores T1078 Valid Accounts
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse
conditional_access Conditional Access technique_scores T1078 Valid Accounts
Comments
This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
cloud_app_security_policies Cloud App Security Policies technique_scores T1078 Valid Accounts
Comments
This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1078 Valid Accounts
Comments
This control provides recommendations that can lead to protecting against the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited protection for this technique's procedure examples. Consequently, its overall protection coverage score is minimal.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
  3. https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes
  4. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1078 Valid Accounts
Comments
This control provides recommendations that can lead to the detection of the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited detection for this technique's procedure examples. Consequently, its overall detection coverage score is minimal.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
  3. https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes
  4. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675
sql_vulnerability_assessment SQL Vulnerability Assessment technique_scores T1078 Valid Accounts
Comments
References
  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment
  2. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules
continuous_access_evaluation Continuous Access Evaluation technique_scores T1078 Valid Accounts
Comments
This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1078.004 Cloud Accounts 38
T1078.001 Default Accounts 19
T1078.002 Domain Accounts 17
T1078.003 Local Accounts 22