Esc
Valid Accounts - T1078
(ATT&CK® Technique)
Definition
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1078["Valid Accounts"] --> |uses| UserAccount["User Account"]; class T1078 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078["Valid Accounts"] --> |produces| Authentication["Authentication"]; class T1078 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1078 href "/offensive-technique/attack/T1078/"; click Authentication href "/dao/artifact/d3f:Authentication"; T1078["Valid Accounts"] --> |produces| Authorization["Authorization"]; class T1078 OffensiveTechniqueNode;
class Authorization ArtifactNode; click Authorization href "/dao/artifact/d3f:Authorization";
click T1078 href "/offensive-technique/attack/T1078/"; click Authorization href "/dao/artifact/d3f:Authorization"; T1078["Valid Accounts"] --> |uses| CloudUserAccount["Cloud User Account"]; class T1078 OffensiveTechniqueNode;
class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; T1078["Valid Accounts"] --> |uses| DefaultUserAccount["Default User Account"]; class T1078 OffensiveTechniqueNode;
class DefaultUserAccount ArtifactNode; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount"; T1078["Valid Accounts"] --> |uses| DomainUserAccount["Domain User Account"]; class T1078 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1078["Valid Accounts"] --> |uses| LocalUserAccount["Local User Account"]; class T1078 OffensiveTechniqueNode;
class LocalUserAccount ArtifactNode; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1078["Valid Accounts"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1078["Valid Accounts"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authorization["Authorization"];
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; AccountLocking["Account Locking"] -->
| disables | DefaultUserAccount["Default User Account"];
AccountLocking["Account Locking"] -.->
| May Evict | T1078["Valid Accounts"] ;
class AccountLocking DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | LocalUserAccount["Local User Account"];
class AccountLocking DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | CloudUserAccount["Cloud User Account"];
class AccountLocking DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1078["Valid Accounts"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; AuthorizationEventThresholding["Authorization Event Thresholding"] -->
| analyzes | Authorization["Authorization"];
AuthorizationEventThresholding["Authorization Event Thresholding"] -.->
| May Detect | T1078["Valid Accounts"] ;
class AuthorizationEventThresholding DefensiveTechniqueNode;
class Authorization ArtifactNode;
click AuthorizationEventThresholding href "/technique/d3f:AuthorizationEventThresholding"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| May Detect | T1078["Valid Accounts"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -.->
| May Detect | T1078["Valid Accounts"] ;
class JobFunctionAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click JobFunctionAccessPatternAnalysis href "/technique/d3f:JobFunctionAccessPatternAnalysis"; LocalAccountMonitoring["Local Account Monitoring"] -->
| analyzes | LocalUserAccount["Local User Account"];
LocalAccountMonitoring["Local Account Monitoring"] -.->
| May Detect | T1078["Valid Accounts"] ;
class LocalAccountMonitoring DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click LocalAccountMonitoring href "/technique/d3f:LocalAccountMonitoring"; One-timePassword["One-time Password"] -->
| authenticates | DefaultUserAccount["Default User Account"];
One-timePassword["One-time Password"] -.->
| May Harden | T1078["Valid Accounts"] ;
class One-timePassword DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
class One-timePassword DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class One-timePassword DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | LocalUserAccount["Local User Account"];
class One-timePassword DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | UserAccount["User Account"];
class One-timePassword DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | DomainUserAccount["Domain User Account"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1078["Valid Accounts"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | DefaultUserAccount["Default User Account"];
BiometricAuthentication["Biometric Authentication"] -.->
| May Harden | T1078["Valid Accounts"] ;
class BiometricAuthentication DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | DefaultUserAccount["Default User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | LocalUserAccount["Local User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | UserAccount["User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | CloudUserAccount["Cloud User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DefaultUserAccount["Default User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| May Harden | T1078["Valid Accounts"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | CloudUserAccount["Cloud User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | LocalUserAccount["Local User Account"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| May Harden | T1078["Valid Accounts"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | LocalUserAccount["Local User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | DefaultUserAccount["Default User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | UserAccount["User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; UserAccountPermissions["User Account Permissions"] -->
| restricts | LocalUserAccount["Local User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | UserAccount["User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | LocalUserAccount["Local User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| May Restore | T1078["Valid Accounts"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | CloudUserAccount["Cloud User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DefaultUserAccount["Default User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UnlockAccount["Unlock Account"] -->
| restores | LocalUserAccount["Local User Account"];
UnlockAccount["Unlock Account"] -.->
| May Restore | T1078["Valid Accounts"] ;
class UnlockAccount DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | CloudUserAccount["Cloud User Account"];
class UnlockAccount DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DefaultUserAccount["Default User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";