MITRE ATT&CK T1078 Valid Accounts Technique Explained
Cybersecurity firm Picus Security details how attackers leverage legitimate credentials using the MITRE ATT&CK T1078 Valid Accounts technique to bypass security controls and gain unauthorized access.
Picus Security has published an analysis of the MITRE ATT&CK T1078 Valid Accounts technique, a prevalent method used by adversaries to gain access to systems and networks. This technique involves the abuse of legitimate user credentials, including default, local, domain, or cloud accounts, to authenticate and bypass security measures.
The Valid Accounts technique allows attackers to achieve multiple objectives, such as initial access, lateral movement, persistence, and privilege escalation, all while evading detection. As identity-driven access becomes increasingly central in modern IT infrastructures and cloud environments, T1078 has emerged as a highly effective and frequently utilized attack vector.
According to Picus Security's research, the Valid Accounts technique has a success rate of 98% in tested environments. This aligns with broader industry findings, which indicate that a significant portion of cyber intrusions rely on compromised legitimate credentials rather than exploiting software vulnerabilities.
The report highlights specific sub-techniques, including T1078.001 (Default Accounts), where attackers exploit factory-set or well-known credentials like default administrator or root accounts. T1078.002 (Domain Accounts) focuses on the abuse of credentials within Active Directory environments, enabling attackers to move within a network and escalate privileges.
Organizations face significant challenges in defending against such identity-based attacks. Picus Security's analysis emphasizes the need for proactive identity risk management and continuous threat simulation to effectively counter the widespread use of valid account abuse by threat actors.