Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

MITRE ATT&CK T1078 Valid Accounts Explained

Sıla Özeren Hacıoğlu | 11 MIN READ

| February 03, 2026

MITRE ATT&CK T1078 (Valid Accounts) describes a technique where adversaries use legitimate credentials, including default, local, domain, or cloud accounts, to access systems, maintain persistence, and escalate privileges without exploiting software vulnerabilities. By authenticating as authorized users, attackers bypass many security controls and blend into normal activity, making detection difficult.

Valid account abuse enables multiple attack objectives at once, including initial access, lateral movement, persistence, privilege escalation, and defense evasion. As identity-driven access becomes central to modern IT and cloud environments, T1078 has emerged as one of the most reliable and frequently used techniques in real-world attacks.

Industry research confirmed this trend.

The Picus Blue Report found that Valid Accounts (T1078) succeeded in 98% of tested environments [1], while other research showed that nearly one-third of intrusions relied on legitimate credentials rather than malware or exploits [2]. 

For defenders, this makes T1078 not merely a common technique, but a foundational identity risk that must be addressed directly.

T1078.001 Valid Accounts: Default Accounts

Default Accounts (ATT&CK T1078.001) is a MITRE ATT&CK sub-technique where adversaries abuse built-in or factory-configured credentials that come by default in systems, software, or devices. These accounts are often pre‑configured, well‑known, or left unchanged after deployment, making them easily exploitable.

Examples include:

  • Default Administrator/Guest accounts on Windows

  • Root accounts on Linux systems

  • Provider‑set accounts on appliances

  • Default service identities in cloud platforms (e.g., AWS root user, Kubernetes service accounts)

Adversary Use of Valid Accounts: Default Accounts

Adversaries exploit default credentials for initial access, persistence, privilege escalation, and defense evasion because:

  • These credentials are widely documented or easily guessable.

  • Devices or applications often ship with well-known username/password pairs or pre‑issued keys that are rarely modified by defenders.

  • Default accounts allow attackers to bypass access controls, authenticate legitimately, and blend in with normal activity.

In 2025, several threat reports highlight continued abuse of default and vendor-configured accounts.

  • WARP PANDA leveraged the built-in VMware vpxuser account to persist on vCenter and ESXi systems, enabling privileged access and lateral movement through a default account [3].

  • ShadowPad malware campaigns mapped privilege escalation activity to default accounts, indicating the abuse of default credentials to expand control post-compromise [4].

  • Beast ransomware operations explicitly list T1078.001 under privilege escalation, demonstrating that ransomware actors also rely on default accounts as part of their intrusion workflow [5].

  • In the Console Chaos campaign, attackers hijacked a default guest account on FortiGate firewalls to authenticate to SSL VPN, using default access as an entry point [6].

Together, these cases show that T1078.001 remains a reliable and widely used technique in modern attack chains, especially where default configurations persist.

T1078.002 Valid Accounts: Domain Accounts

Domain Accounts (ATT&CK T1078.002) is a MITRE ATT&CK sub-technique where adversaries abuse legitimate domain account credentials managed by Active Directory Domain Services (AD DS). These accounts, which may include user, admin, or service credentials, enable attackers to gain access, maintain persistence, and escalate privileges within a network, all while evading detection.

Adversaries typically acquire these credentials through methods such as credential dumping, phishing, or password reuse. Once compromised, these credentials allow attackers to perform lateral movement, privilege escalation, and blend into normal network traffic, making detection difficult.

By exploiting the trusted nature of domain accounts, T1078.002 allows attackers to bypass traditional security controls, often blending into legitimate activities and maintaining a foothold for extended periods without raising alarms.

Adversary Use of Valid Accounts: Domain Accounts

Several ransomware groups and threat actors have demonstrated the abuse of T1078.002, using compromised domain accounts to advance their attacks. 

This tactic enables attackers to blend in with legitimate network activity, evade detection, and maintain persistent access across systems.

“The Gentlemen” Ransomware Campaign

Research on The Gentlemen ransomware highlights the use of privileged domain accounts as part of its intrusion techniques [7]. The threat actors employed these accounts to deploy ransomware and implemented evasion strategies to maintain persistence against security controls.

LV Ransomware Group

Picus Labs identified that the LV Ransomware group gained domain admin privileges through compromised domain administrator credentials, further enabling their access and movement within the network.

DragonForce Ransomware Group

DragonForce was observed abusing domain accounts to maintain access to compromised Active Directory accounts or to create new backdoors. Even after cleaning a machine, attackers could regain access. 

In one notable case involving M&S, the attackers used domain admin credentials to pivot to any system at will, with multiple fallback accounts ensuring continued access, even if one backdoor was discovered.

T1078.003 Valid Accounts: Local Accounts

Local Accounts (ATT&CK T1078.003) is a MITRE ATT&CK sub-technique where adversaries exploit local account credentials to gain access to individual systems. Local accounts are user, administrative, or service credentials that are configured on specific systems (e.g., workstations or servers) and not centrally managed by Active Directory [8].

Adversaries typically gain access to these credentials through credential dumping, phishing, password reuse, or brute-forcing. Once compromised, these credentials enable attackers to achieve several objectives:

  • Initial Access. Gaining access to a host by authenticating with valid local credentials.

    Persistence. Maintaining access on the compromised system without deploying obvious malware.

  • Privilege Escalation. Leveraging weak or reused local account credentials to gain elevated privileges.

  • Defense Evasion. Blending in with normal activity, allowing attackers to evade detection.

Additionally, local account credentials that are reused across multiple systems offer attackers an opportunity to move laterally, expanding their reach across the network.

Local account abuse often involves using legitimate logins for remote services (e.g., RDP, SMB, or WinRM) to pivot to other systems. If not properly managed, local accounts can become a significant vector for persistent access and lateral movement in compromised environments.

Adversary Use of Valid Accounts: Local Accounts

Several threat actors have demonstrated the abuse of T1078.003 – Valid Accounts: Local Accounts, using compromised local account credentials to further their attacks. This technique helps attackers maintain access, escalate privileges, and move laterally within a network while evading detection.

Play Ransomware (PlayCrypt)

The Play ransomware group has been observed using both domain and local account credentials as part of its attack chain [9]. T1078.003 is specifically mentioned in the group’s credential abuse tactics, enabling the operators to move laterally and maintain persistence across compromised systems. This shows how local accounts were abused to ensure long-term access after initial infection.

Active Intrusions

Reports from active threat intelligence [10] show that T1078.003 is commonly used for access and persistence in ongoing attacks, alongside other techniques like Create Account: Local Account and Boot or Logon Autostart Execution. This reinforces that local account abuse remains a key tactic in compromises.

Intrusion Patterns

Further intelligence confirms that T1078.003 is part of the intrusion workflow for multiple adversaries [11], particularly for Initial Access, Persistence, Privilege Escalation, and Defense Evasion. This shows that local account abuse continues to be actively exploited by adversaries to gain footholds, maintain access, and escalate privileges within compromised environments.

T1078.004 Valid Accounts: Cloud Accounts

Cloud Accounts (ATT&CK T1078.004) is a MITRE ATT&CK technique where attackers abuse legitimate cloud identities to gain and maintain access in cloud environments.

Cloud accounts include user, admin, service, and federated identities used across SaaS, IaaS, and cloud identity providers. When attackers obtain valid cloud credentials, most commonly through phishing, token theft, misconfigurations, or compromised federated trust, they can operate as authorized users without triggering traditional security controls.

Once access is established, adversaries can:

  • Access cloud data and APIs
  • Perform administrative actions
  • Create new users or tokens for persistence
  • Abuse IAM misconfigurations to escalate privileges
  • Pivot between cloud and on-prem environments via federation

Because activity is performed using valid credentials, detection is difficult. Actions often blend into normal user behavior, making this technique highly effective for initial access, persistence, privilege escalation, and defense evasion in modern cloud-first environments.

From an attacker’s perspective, logging in is easier and quieter than breaking in, which is why cloud account abuse has become a dominant tactic in real-world breaches.

Adversary Use of Valid Accounts: Cloud Accounts

EXTEN Ransomware Campaign

In the EXTEN ransomware campaign, operators leveraged compromised or poorly secured cloud accounts as trusted access points to support their attacks [12]. By abusing valid cloud credentials and built-in cloud management features, the attackers were able to blend malicious actions with legitimate administrative activity, reducing the chance of detection.

Scattered Spider Threat Group

In the 2025 UK retail attacks, the threat group Scattered Spider leveraged compromised cloud accounts as a core part of their intrusion strategy [13]. After obtaining credentials through vishing, MFA fatigue, and help-desk deception, the group accessed cloud identity platforms (e.g., Azure AD) and SaaS services using valid cloud accounts (T1078.004). This allowed them to operate as legitimate users, blend into normal authentication and administrative activity, and bypass many traditional security controls.

Using these cloud accounts, Scattered Spider performed cloud and identity discovery, created or modified accounts for persistence, enrolled attacker-controlled MFA devices, and staged data for exfiltration to attacker-controlled cloud storage. Cloud access also enabled seamless lateral movement between on-premises and cloud environments, supporting their double-extortion model, stealing sensitive data before deploying ransomware (DragonForce) to maximize operational disruption, reputational damage, and ransom pressure.

Silk Typhoon APT (a.k.a HAFNIUM)

In this campaign, Silk Typhoon leveraged cloud accounts, service principals, and API keys to expand access and conduct large-scale espionage operations. After gaining initial access through zero-day exploits, password spraying, or stolen credentials from IT and cloud service providers, the group abused legitimate cloud identities to move laterally from on-premises environments into cloud tenants.

Silk Typhoon manipulated service principals and OAuth applications with pre-consented administrative permissions, adding their own credentials to trusted apps and using Microsoft Graph and EWS APIs to quietly exfiltrate email, OneDrive, and SharePoint data. By abusing API keys from PAM, cloud app, and data management platforms, they accessed downstream customer environments, reset admin accounts, created new users for persistence, and cleared logs to evade detection. 

This cloud-centric abuse allowed the group to blend into normal administrative activity, rapidly exfiltrate sensitive data, and sustain long-term access across multiple organizations, highlighting how trusted cloud identities and integrations can be weaponized for stealthy, high-impact espionage.

Key Takeaways

Valid Accounts (T1078) is one of the most reliable attacker techniques, succeeding in 98% of tested environments according to Blue Report 2025, making identity abuse harder to stop than malware or exploits.

Modern attackers prefer logging in over breaking in. Nearly one-third of intrusions in 2025 relied on legitimate credentials, bypassing traditional security controls.

All four T1078 sub-techniques are actively abused in real attacks:

  • T1078.001 Default Accounts: Exploited through unchanged vendor or system credentials (e.g., WARP PANDA, Console Chaos).

  • T1078.002 Domain Accounts: Used for lateral movement and persistence in ransomware campaigns (e.g., DragonForce, LV, The Gentlemen).

  • T1078.003 Local Accounts: Enable stealthy host access and fallback persistence (e.g., Play ransomware).

  • T1078.004 Cloud Accounts: Central to SaaS and identity-centric breaches (e.g., Scattered Spider, Silk Typhoon).

Credential-based access enables multiple attack objectives simultaneously, including initial access, persistence, privilege escalation, and defense evasion.

Detection is difficult because activity appears legitimate. Attacker actions blend into normal authentication and administrative behavior, especially in Active Directory and cloud identity platforms.

Cloud and identity systems are now primary attack surfaces. Abuse of federated identities, service principals, OAuth apps, and API keys enables stealthy cross-environment movement.

Severity scores alone fail to capture real risk. T1078 abuse often bypasses controls without exploiting vulnerabilities, making exposure validation critical.

Effective defense requires validating identity abuse paths, not just monitoring credentials or scoring vulnerabilities.

References

[1] “Blue Report 2025.” Available: https://www.picussecurity.com/blue-report. [Accessed: Jan. 29, 2026]

[2] “Website.” Available: https://blog.checkpoint.com/security/the-alarming-surge-in-compromised-credentials-in-2025/

[3] Counter Adversary Operations, “Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary,” CrowdStrike.com, Dec. 04, 2025. Available: https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/. [Accessed: Jan. 29, 2026]

[4] S. Lister, “Darktrace’s Detection of State-Linked ShadowPad Malware,” Mar. 12, 2025. Available: https://www.darktrace.com/blog/darktrace-detection-of-state-linked-shadowpad-malware. [Accessed: Jan. 29, 2026]

[5] A. Owda, “Dark Web Profile: Beast Ransomware,” SOCRadar® Cyber Intelligence Inc., Aug. 19, 2025. Available: https://socradar.io/blog/dark-web-profile-beast-ransomware/. [Accessed: Jan. 29, 2026]

[6] S. Hostetler et al., “Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls,” Arctic Wolf, Jan. 10, 2025. Available: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/. [Accessed: Jan. 29, 2026]

[7] “Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed,” Trend Micro, Sep. 09, 2025. Available: https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html. [Accessed: Jan. 29, 2026]

[8] “Valid Accounts: Local Accounts.” Available: https://attack.mitre.org/techniques/T1078/003/. [Accessed: Jan. 29, 2026]

[9] “Valid Accounts: Local Accounts.” Available: https://attack.mitre.org/techniques/T1078/003/. [Accessed: Jan. 29, 2026]

[10] P. Aash, “Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches July 14-21, 2025,” FireCompass, Jul. 22, 2025. Available: https://firecompass.com/weekly-cybersecurity-intelligence-report-cyber-threats-breaches-july-14-21/. [Accessed: Jan. 29, 2026]

[11] “Weekly Intelligence Report – 29 August 2025,” CYFIRMA. Available: https://www.cyfirma.com/news/weekly-intelligence-report-29-august-2025/. [Accessed: Jan. 29, 2026]

[12] “Weekly Intelligence Report – 12 September 2025,” CYFIRMA. Available: https://www.cyfirma.com/news/weekly-intelligence-report-12-september-2025/. [Accessed: Feb. 01, 2026]

[13] “Common MITRE ATT&CK Techniques in 2025 UK Retailer Cyberattacks.” Available: https://www.preludesecurity.com/blog/scattered-spiders-2025-cyberattacks-on-uk-retailers. [Accessed: Feb. 01, 2026]

Table of Contents

Ready to start? Request a demo
Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained
Emerging Threat Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained
Learn More
React Flight Protocol RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Emerging Threat React2Shell RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Learn More
FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Emerging Threat FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Learn More
CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Emerging Threat CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Learn More
Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More