Esc
Valid Accounts - T1078
(ATT&CK® Technique)
Definition
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1078["Valid Accounts"] --> |uses| UserAccount["User Account"]; class T1078 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078["Valid Accounts"] --> |uses| CloudUserAccount["Cloud User Account"]; class T1078 OffensiveTechniqueNode;
class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; T1078["Valid Accounts"] --> |uses| DefaultUserAccount["Default User Account"]; class T1078 OffensiveTechniqueNode;
class DefaultUserAccount ArtifactNode; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount"; T1078["Valid Accounts"] --> |uses| DomainUserAccount["Domain User Account"]; class T1078 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1078["Valid Accounts"] --> |uses| LocalUserAccount["Local User Account"]; class T1078 OffensiveTechniqueNode;
class LocalUserAccount ArtifactNode; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount";
click T1078 href "/offensive-technique/attack/T1078/"; click LocalUserAccount href "/dao/artifact/d3f:LocalUserAccount"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| may-restore | T1078["Valid Accounts"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | CloudUserAccount["Cloud User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DefaultUserAccount["Default User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | LocalUserAccount["Local User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| may-isolate | T1078["Valid Accounts"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | LocalUserAccount["Local User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| may-detect | T1078["Valid Accounts"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; LocalAccountMonitoring["Local Account Monitoring"] -->
| analyzes | LocalUserAccount["Local User Account"];
LocalAccountMonitoring["Local Account Monitoring"] -.->
| may-detect | T1078["Valid Accounts"] ;
class LocalAccountMonitoring DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click LocalAccountMonitoring href "/technique/d3f:LocalAccountMonitoring"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| may-evict | T1078["Valid Accounts"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DefaultUserAccount["Default User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; AccountLocking["Account Locking"] -->
| disables | CloudUserAccount["Cloud User Account"];
class AccountLocking DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DefaultUserAccount["Default User Account"];
class AccountLocking DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | LocalUserAccount["Local User Account"];
class AccountLocking DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; UserAccountPermissions["User Account Permissions"] -->
| restricts | CloudUserAccount["Cloud User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UnlockAccount["Unlock Account"] -->
| restores | DefaultUserAccount["Default User Account"];
UnlockAccount["Unlock Account"] -.->
| may-restore | T1078["Valid Accounts"] ;
class UnlockAccount DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | LocalUserAccount["Local User Account"];
class UnlockAccount DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | CloudUserAccount["Cloud User Account"];
class UnlockAccount DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; AgentAuthentication["Agent Authentication"] -->
| strengthens | DefaultUserAccount["Default User Account"];
AgentAuthentication["Agent Authentication"] -.->
| may-harden | T1078["Valid Accounts"] ;
class AgentAuthentication DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | DomainUserAccount["Domain User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | LocalUserAccount["Local User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class LocalUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | UserAccount["User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | CloudUserAccount["Cloud User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication";