title: Valid Accounts (T1078)
id: df00tech-t1078
status: experimental
description: "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts belonging to individuals who are no longer part of an organization."
references:
  - https://attack.mitre.org/techniques/T1078/
  - https://df00tech.com/detections/T1078
author: df00tech
date: 2026/04/13
tags:
  - attack.t1078
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate travel — users accessing resources from new countries or cities during business travel
  - VPN or proxy changes — users switching VPN exit nodes causing IP and apparent location changes
  - "New device enrollment — first-time access from a newly provisioned corporate device triggers 'new IP' anomaly"
  - After-hours legitimate access — on-call engineers or executives working outside normal hours from home networks
  - "Conditional Access policy rollout periods — new CA policies may temporarily show as 'notApplied' during staged deployment"
level: high