T1078: Valid Accounts

Data from MITRE ATT&CK®:

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Password Policies

Set and enforce secure password policies for accounts.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Logon Session Creation (Logon Session)

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Logon Session Metadata (Logon Session)

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

User Account Authentication (User Account)

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Azure AD Threat Intelligence

azure

Password Provided In Command Line Of Net.EXE

windows process creation

Roles Are Not Being Used

azure

Roles Assigned Outside PIM

azure

Unfamiliar Sign-In Properties

azure

Azure Subscription Permission Elevation Via AuditLogs

azure

User Added to Local Administrator Group

windows

OpenCanary - Telnet Login Attempt

opencanary application

AWS Suspicious SAML Activity

aws

Account Created And Deleted Within A Close Time Frame

azure

Cisco LDP Authentication Failures

cisco

Juniper BGP Missing MD5

juniper

PIM Alert Setting Changes To Disabled

azure

Guest Users Invited To Tenant By Non Approved Inviters

azure

Huawei BGP Authentication Failures

huawei

Cisco BGP Authentication Failures

cisco

Failed Logon From Public IP

windows

Suspicious Computer Machine Password by PowerShell

windows ps module

Too Many Global Admins

azure

Measurable Increase Of Successful Authentications

azure

Roles Activation Doesn't Require MFA

azure

Stale Accounts In A Privileged Role

azure

Microsoft 365 - Impossible Travel Activity

m365

New Country

azure

Guest Account Enabled Via Sysadminctl

macos process creation

Increased Failed Authentications Of Any Type

azure

OpenCanary - SSH Login Attempt

opencanary application

Applications That Are Using ROPC Authentication Flow

azure

Win Susp Computer Name Containing Samtheadmin

windows

Azure Domain Federation Settings Modified

azure

Authentications To Important Apps Using Single Factor Authentication

azure

External Remote RDP Logon from Public IP

windows

Root Account Enable Via Dsenableroot

macos process creation

Impossible Travel

azure

Atypical Travel

azure

Roles Activated Too Frequently

azure

Suspicious Browser Activity

azure

Suspicious SignIns From A Non Registered Device

azure

Google Cloud Kubernetes Admission Controller

gcp

Invalid PIM License

azure

Azure Unusual Authentication Interruption

azure

Account Tampering - Suspicious Failed Logon Reasons

windows

Activity From Anonymous IP Address

azure

Azure Kubernetes Admission Controller

azure

OpenCanary - SSH New Connection Attempt

opencanary application

User Added to an Administrator's Azure AD Role

azure

External Remote SMB Logon from Public IP

windows

Suspicious Remote Logon with Explicit Credentials

windows

Logon from a Risky IP Address

m365

Application Using Device Code Authentication Flow

azure