Home
ATT&CK Techniques
T1078 Valid Accounts

T1078 Valid Accounts Mappings

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1078	Valid Accounts
AC-3	Access Enforcement	Protects	T1078	Valid Accounts
AC-5	Separation of Duties	Protects	T1078	Valid Accounts
AC-6	Least Privilege	Protects	T1078	Valid Accounts
CA-7	Continuous Monitoring	Protects	T1078	Valid Accounts
CA-8	Penetration Testing	Protects	T1078	Valid Accounts
CM-5	Access Restrictions for Change	Protects	T1078	Valid Accounts
CM-6	Configuration Settings	Protects	T1078	Valid Accounts
IA-12	Identity Proofing	Protects	T1078	Valid Accounts
IA-2	Identification and Authentication (organizational Users)	Protects	T1078	Valid Accounts
IA-5	Authenticator Management	Protects	T1078	Valid Accounts
PL-8	Security and Privacy Architectures	Protects	T1078	Valid Accounts
RA-5	Vulnerability Monitoring and Scanning	Protects	T1078	Valid Accounts
SA-10	Developer Configuration Management	Protects	T1078	Valid Accounts
SA-11	Developer Testing and Evaluation	Protects	T1078	Valid Accounts
SA-12	Supply Chain Protection	Protects	T1078	Valid Accounts
SA-15	Development Process, Standards, and Tools	Protects	T1078	Valid Accounts
SA-16	Developer-provided Training	Protects	T1078	Valid Accounts
SA-17	Developer Security and Privacy Architecture and Design	Protects	T1078	Valid Accounts
SA-3	System Development Life Cycle	Protects	T1078	Valid Accounts
SA-4	Acquisition Process	Protects	T1078	Valid Accounts
SA-8	Security and Privacy Engineering Principles	Protects	T1078	Valid Accounts
SC-28	Protection of Information at Rest	Protects	T1078	Valid Accounts
SI-4	System Monitoring	Protects	T1078	Valid Accounts
azure_ad_identity_protection	Azure AD Identity Protection	technique_scores	T1078	Valid Accounts
azure_ad_identity_protection	Azure AD Identity Protection	technique_scores	T1078	Valid Accounts
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1078	Valid Accounts
azure_security_center_recommendations	Azure Security Center Recommendations	technique_scores	T1078	Valid Accounts
azure_defender_for_storage	Azure Defender for Storage	technique_scores	T1078	Valid Accounts
azure_sentinel	Azure Sentinel	technique_scores	T1078	Valid Accounts
azure_ad_multi-factor_authentication	Azure AD Multi-Factor Authentication	technique_scores	T1078	Valid Accounts
role_based_access_control	Role Based Access Control	technique_scores	T1078	Valid Accounts
alerts_for_azure_cosmos_db	Alerts for Azure Cosmos DB	technique_scores	T1078	Valid Accounts
azure_policy	Azure Policy	technique_scores	T1078	Valid Accounts
azure_ad_privileged_identity_management	Azure AD Privileged Identity Management	technique_scores	T1078	Valid Accounts
advanced_threat_protection_for_azure_sql_database	Advanced Threat Protection for Azure SQL Database	technique_scores	T1078	Valid Accounts
conditional_access	Conditional Access	technique_scores	T1078	Valid Accounts
cloud_app_security_policies	Cloud App Security Policies	technique_scores	T1078	Valid Accounts
azure_ad_identity_secure_score	Azure AD Identity Secure Score	technique_scores	T1078	Valid Accounts
azure_ad_identity_secure_score	Azure AD Identity Secure Score	technique_scores	T1078	Valid Accounts
sql_vulnerability_assessment	SQL Vulnerability Assessment	technique_scores	T1078	Valid Accounts
continuous_access_evaluation	Continuous Access Evaluation	technique_scores	T1078	Valid Accounts

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1078.004	Cloud Accounts	38
T1078.001	Default Accounts	19
T1078.002	Domain Accounts	17
T1078.003	Local Accounts	22