Esc
Default Accounts - T1078.001
(ATT&CK® Technique)
Definition
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1078001["Default Accounts"] --> |uses| UserAccount["User Account"]; class T1078001 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1078001 href "/offensive-technique/attack/T1078.001/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078001["Default Accounts"] --> |produces| Authentication["Authentication"]; class T1078001 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1078001 href "/offensive-technique/attack/T1078.001/"; click Authentication href "/dao/artifact/d3f:Authentication"; T1078001["Default Accounts"] --> |produces| Authorization["Authorization"]; class T1078001 OffensiveTechniqueNode;
class Authorization ArtifactNode; click Authorization href "/dao/artifact/d3f:Authorization";
click T1078001 href "/offensive-technique/attack/T1078.001/"; click Authorization href "/dao/artifact/d3f:Authorization"; T1078001["Default Accounts"] --> |uses| DefaultUserAccount["Default User Account"]; class T1078001 OffensiveTechniqueNode;
class DefaultUserAccount ArtifactNode; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount";
click T1078001 href "/offensive-technique/attack/T1078.001/"; click DefaultUserAccount href "/dao/artifact/d3f:DefaultUserAccount"; One-timePassword["One-time Password"] -->
| authenticates | UserAccount["User Account"];
One-timePassword["One-time Password"] -.->
| May Harden | T1078001["Default Accounts"] ;
class One-timePassword DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | DefaultUserAccount["Default User Account"];
class One-timePassword DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | UserAccount["User Account"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1078001["Default Accounts"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | DefaultUserAccount["Default User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| May Harden | T1078001["Default Accounts"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DefaultUserAccount["Default User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; AuthorizationEventThresholding["Authorization Event Thresholding"] -->
| analyzes | Authorization["Authorization"];
AuthorizationEventThresholding["Authorization Event Thresholding"] -.->
| May Detect | T1078001["Default Accounts"] ;
class AuthorizationEventThresholding DefensiveTechniqueNode;
class Authorization ArtifactNode;
click AuthorizationEventThresholding href "/technique/d3f:AuthorizationEventThresholding"; JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -.->
| May Detect | T1078001["Default Accounts"] ;
class JobFunctionAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click JobFunctionAccessPatternAnalysis href "/technique/d3f:JobFunctionAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1078001["Default Accounts"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1078001["Default Accounts"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authorization["Authorization"];
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1078001["Default Accounts"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DefaultUserAccount["Default User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| May Restore | T1078001["Default Accounts"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | UserAccount["User Account"];
BiometricAuthentication["Biometric Authentication"] -.->
| May Harden | T1078001["Default Accounts"] ;
class BiometricAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | DefaultUserAccount["Default User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | UserAccount["User Account"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| May Harden | T1078001["Default Accounts"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | DefaultUserAccount["Default User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| May Evict | T1078001["Default Accounts"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DefaultUserAccount["Default User Account"];
class AccountLocking DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
UnlockAccount["Unlock Account"] -.->
| May Restore | T1078001["Default Accounts"] ;
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DefaultUserAccount["Default User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DefaultUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";