T1078 is one of the most dangerous techniques in the MITRE ATT&CK framework precisely because it is one of the simplest. An adversary with valid credentials does not need to exploit a vulnerability, drop a payload, or bypass an EDR agent. They log in. The system sees a legitimate authentication event, grants access, and the attacker begins operating with whatever privileges that account holds.
This technique spans four tactics in the ATT&CK matrix — Initial Access, Defense Evasion, Persistence, and Privilege Escalation — making it one of the few techniques that serves an adversary across nearly every phase of an intrusion. The Picus Blue Report found that T1078 succeeded in 98% of tested environments, and separate research from CrowdStrike and Checkpoint has shown that nearly one-third of intrusions now rely on legitimate credentials rather than malware or exploits.
How Valid Account Abuse Works
The technique begins with credential acquisition. Adversaries obtain valid usernames and passwords through a range of methods: phishing campaigns that harvest credentials through fake login pages, purchasing stolen credentials from dark web marketplaces, exploiting credential reuse across services, brute-forcing weak passwords through spraying attacks, or stealing session tokens through adversary-in-the-middle (AiTM) attacks that bypass multi-factor authentication entirely.
Once the attacker has working credentials, they authenticate to the target system or service just as any authorized user would. This could mean logging into a VPN, accessing a cloud console, connecting via RDP or SSH, or authenticating to a web application. The system processes the request as a normal login event.
What makes T1078 particularly dangerous is what comes next — or more accurately, what does not. Many threat actors deliberately avoid deploying malware, running scripts, or making configuration changes that would trigger detection rules. They operate entirely through legitimate tools and access paths, a practice known as living off the land. This approach can sustain access for months without generating a single alert.
Sub-Techniques
MITRE breaks T1078 into four sub-techniques, each representing a different category of account that adversaries target:
T1078.001 — Default Accounts
Adversaries exploit built-in or factory-configured credentials that ship with operating systems, network devices, applications, and IoT hardware. These accounts are publicly documented, rarely changed after deployment, and provide immediate access without any credential theft required. Default credentials on internet-facing appliances — routers, firewalls, cameras, industrial controllers — remain one of the most reliable entry points for both opportunistic attackers and nation-state operators.
T1078.002 — Domain Accounts
Domain accounts managed by Active Directory are high-value targets because a single compromised domain credential can provide access to every system joined to that domain. Adversaries acquire domain credentials through credential dumping (T1003), phishing, Kerberoasting, or by purchasing them from initial access brokers. Compromised domain admin accounts are particularly devastating — they effectively give an attacker control of the entire environment.
T1078.003 — Local Accounts
Local accounts exist on individual systems rather than being managed centrally. They are attractive targets because local account events are only logged on the target machine (not on domain controllers), making cross-system correlation more difficult. Local admin accounts that share the same password across multiple endpoints enable rapid lateral movement through pass-the-hash attacks. Network infrastructure devices like switches and routers often rely on local accounts with weaker authentication controls and no EDR coverage.
T1078.004 — Cloud Accounts
Cloud accounts — including those for AWS IAM, Azure AD, Google Cloud, and SaaS applications — have become primary targets as organizations migrate infrastructure and data to cloud platforms. Compromised cloud credentials can grant access to storage buckets, databases, compute instances, and administrative consoles. Cloud environments often have broader blast radius than on-premise systems because a single privileged account may control resources across multiple regions and services.
Real-World Case Studies
Adversary-in-the-Middle Session Hijacking
AiTM attacks represent one of the most effective modern methods for obtaining valid credentials that bypass MFA. The attacker positions a proxy between the victim and the legitimate login page, captures the authenticated session token after the user completes MFA, and replays that token to gain access as the authenticated user. The credential theft happens after authentication is complete, which means MFA was technically successful — it just did not protect the session. This technique has been used extensively against Microsoft 365 environments, where stolen session cookies provide full access to email, SharePoint, and OneDrive.
Related: AiTM vs. MiTM — Understanding the Attack That Breaks MFA
The FICOBA Breach — One Credential, 1.2 Million Bank Accounts
In one of the starkest demonstrations of T1078 in practice, an unknown threat actor used a single stolen government credential to gain unrestricted access to France's national bank account registry (FICOBA) for multiple days. No malware was deployed. No vulnerability was exploited. The attacker authenticated with valid credentials and accessed records for 1.2 million bank accounts. The breach was not detected through security monitoring — it was discovered after the fact.
Related: One Password. 1.2 Million Bank Accounts. The FICOBA Breach
The Figure Technology Solutions Breach — Vishing to Valid Credentials
ShinyHunters, one of the most prolific data breach groups operating today, compromised Figure Technology Solutions — the largest nonbank HELOC lender in the United States — through a single vishing (voice phishing) call. The social engineering attack extracted credentials that provided access to nearly one million customer records. The threat actors bypassed MFA in real time during the call and used the resulting valid session to access internal systems as a legitimate user.
Related: Your Blockchain Bank Got Hacked by a Phone Call — The Figure Data Breach
Volt Typhoon — Valid Credentials as a National Security Threat
The China-linked threat group Volt Typhoon has been documented by CISA and Microsoft as relying primarily on valid credentials — rather than malware — to maintain long-term persistent access to U.S. critical infrastructure. Their operations prioritize stealth over disruption: they authenticate with stolen credentials, use built-in system tools for reconnaissance, and avoid deploying any files or binaries that would trigger endpoint detection. Volt Typhoon represents the strategic end of T1078 — credential abuse as a means of pre-positioning for potential future conflict.
Scattered Spider — Credential Abuse at Scale
Scattered Spider (UNC3944) has demonstrated sophisticated use of valid account abuse against major enterprises including MGM Resorts, Caesars Entertainment, and Coinbase. The group uses social engineering — calling IT help desks to reset passwords and register new MFA devices — to obtain valid credentials for privileged accounts. Once authenticated, they leverage their access for data theft and ransomware deployment, operating as legitimate administrators throughout the intrusion chain.
Detection Strategies
Detecting T1078 is inherently difficult because the authentication events it generates are indistinguishable from legitimate logins. Detection relies on behavioral analysis, contextual anomaly detection, and correlation of authentication events across multiple data sources.
Key Windows Event IDs
| Event ID | Source | What It Captures |
|---|---|---|
4624 |
Security | Successful logon — monitor for unusual logon types (Type 3 network, Type 10 RDP), off-hours activity, and unfamiliar source IPs |
4625 |
Security | Failed logon — correlate bursts of failures followed by a successful 4624 from the same source (indicates credential spraying) |
4648 |
Security | Logon using explicit credentials — indicates a process authenticated with credentials different from the logged-on user |
4672 |
Security | Special privileges assigned to new logon — indicates an account logged on with administrative privileges |
4768 |
Security | Kerberos TGT request — monitor for requests from unusual hosts or at unusual times |
4769 |
Security | Kerberos service ticket request — high volumes from a single account may indicate lateral movement |
4776 |
Security | NTLM authentication — should be rare in modern environments; high volumes may indicate pass-the-hash |
Detection Queries
The following queries target the behavioral patterns associated with T1078 rather than the technique itself. Since the authentication is legitimate, detection depends on identifying anomalies in context, timing, geography, and sequence.
# Detect failed login bursts followed by successful auth (credential spraying)
# Windows Security Log — correlate 4625 failures with subsequent 4624 success
index=wineventlog EventCode=4625 OR EventCode=4624
| stats count(eval(EventCode=4625)) as failures,
count(eval(EventCode=4624)) as successes,
earliest(_time) as first_seen,
latest(_time) as last_seen
by src_ip, TargetUserName
| where failures > 5 AND successes > 0
| eval time_window = last_seen - first_seen
| where time_window < 600# Detect impossible travel — same account authenticating from
# geographically distant locations within a short time window
index=azure_signin OR index=o365
| iplocation src_ip
| stats earliest(_time) as first_auth, latest(_time) as last_auth,
values(City) as cities, dc(Country) as country_count
by user
| where country_count > 1
| eval delta_minutes = (last_auth - first_auth) / 60
| where delta_minutes < 120# Detect logon activity from dormant or disabled accounts
# Accounts with no login activity in 90+ days that suddenly authenticate
index=wineventlog EventCode=4624
| stats latest(_time) as last_logon, earliest(_time) as first_logon
by TargetUserName
| eval days_since_last = (now() - last_logon) / 86400
| join TargetUserName [
| inputlookup dormant_accounts.csv
]
| where days_since_last < 1Cloud-specific detection requires monitoring cloud provider audit logs (AWS CloudTrail, Azure AD sign-in logs, Google Workspace audit logs) for anomalous authentication events, particularly API-based logins from unfamiliar user agents, regions, or IP ranges that do not correspond to the organization's known infrastructure.
Known Threat Actors
T1078 is one of the most broadly used techniques in the ATT&CK framework, employed by both cybercriminal groups and state-sponsored actors. The following is a partial list of groups documented by MITRE and commercial threat intelligence as using valid account abuse as a core part of their operational tradecraft:
- Volt Typhoon (China) — Pre-positioning in U.S. critical infrastructure using stolen credentials and living-off-the-land techniques
- APT41 (China) — Used compromised credentials for lateral movement across both government and private sector targets
- Scattered Spider (UNC3944) — Social engineering to obtain valid credentials for high-profile enterprise targets
- FIN7 / FIN8 — Harvested administrative credentials for lateral movement in financially motivated intrusions
- DragonForce — Abused domain accounts to maintain persistent access even after partial remediation
- LAPSUS$ — Purchased stolen credentials and exploited MFA fatigue to gain access to major technology companies
- ShinyHunters — Obtained credentials through social engineering for large-scale data theft operations
Defensive Recommendations
T1078 cannot be fully prevented by any single control. Defense requires a layered approach combining identity governance, authentication hardening, behavioral monitoring, and continuous validation.
- Deploy phishing-resistant MFA: FIDO2 security keys and certificate-based authentication are resistant to AiTM proxy attacks. Legacy MFA methods (SMS, push notifications, TOTP) can be bypassed through session hijacking and MFA fatigue attacks.
- Implement Conditional Access policies: Restrict authentication based on device compliance, geographic location, IP reputation, risk score, and client application. Block legacy authentication protocols that do not support MFA.
- Enforce least privilege and just-in-time access: Privileged accounts should not have standing access. Use Privileged Access Management (PAM) solutions to grant elevated access only when needed, with approval workflows and session recording.
- Audit and disable dormant accounts: Accounts belonging to former employees, completed service engagements, or unused service accounts are prime targets. Implement automated account lifecycle management with regular access reviews.
- Eliminate default credentials: Audit all network devices, appliances, applications, and infrastructure for default or factory-configured credentials. Replace them before deployment and validate through periodic scanning.
- Monitor for credential exposure: Subscribe to dark web monitoring services that alert when organizational credentials appear in breach databases, paste sites, or underground marketplaces. Proactively force password resets for exposed accounts.
- Implement session token protections: Use token binding, continuous access evaluation (CAE), and short-lived session tokens to limit the window of opportunity for stolen session cookies.
- Baseline normal authentication behavior: UEBA (User and Entity Behavior Analytics) systems can detect anomalies in login timing, source location, device fingerprint, and access patterns that indicate credential compromise even when the authentication event itself is technically legitimate.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1078 |
| Technique Name | Valid Accounts |
| Tactics | Initial Access, Defense Evasion, Persistence, Privilege Escalation |
| Platforms | Windows, Linux, macOS, Azure AD, Google Workspace, AWS, SaaS, Network, Containers |
| Sub-Techniques | T1078.001 Default Accounts, T1078.002 Domain Accounts, T1078.003 Local Accounts, T1078.004 Cloud Accounts |
| Data Sources | Logon Session (Creation), User Account (Authentication), Application Log |
| Defenses Bypassed | Firewall, Anti-virus, Host Intrusion Prevention Systems, Network Intrusion Detection, Application Control, System Access Controls |
| MITRE Reference | attack.mitre.org/techniques/T1078 |
Sources and References
- MITRE ATT&CK — T1078 Valid Accounts: attack.mitre.org
- Picus Security — Blue Report 2025 and Red Report 2026: picussecurity.com
- CISA — Volt Typhoon Advisory and Eviction Strategies: cisa.gov
- CrowdStrike — 2025 MITRE ATT&CK Enterprise Evaluation: crowdstrike.com