Valid Accounts
Info
ID: AT-GA006
Tactic: Gain Access
Sub-techniques: Cloud Accounts, Default Accounts, Valid Tokens
Platforms: Linux, macOS, Windows, IaaS
Supports Remote: Yes
Version: 1.0
Valid Accounts
Adversaries may acquire, guess, or inherit valid user credentials and use them to deliver malicious payloads under the guise of legitimate activity. This often involves logging into administrative portals, developer consoles, or back-office services where the adversary can upload new code, modify configuration files, or plant backdoor artifacts. Because the attacker is authenticated, these actions blend with normal user behavior, making them difficult to detect at the delivery stage.
Organizations that fail to rotate credentials, employ strong password policies, or use multi-factor authentication leave themselves vulnerable to this approach. Once inside, attackers can insert payloads into source repositories, container registries, or plugin directories - anywhere privileged users typically have write access. Such unauthorized but valid logins serve as a powerful first step to installing malicious code that will eventually be executed in the environment.
Consumer applications lacking strong password policies or multi-factor authentication are particularly vulnerable to account stuffing and account takeover attacks. Attackers can exploit reverse engineering and traffic analysis to identify vulnerabilities in the application and APIs, then use these insights to launch credential-based attacks against user accounts. This combination of reconnaissance techniques with credential attacks makes consumer-facing applications especially susceptible to unauthorized access through valid accounts.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Implement multi-factor authentication for all user accounts |
| M1027 | Password Policies | Enforce strong password policies and regular password rotation |
| M1018 | User Account Management | Implement proper account management and access control policies |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Authentication Log | Alert on login from impossible-travel locations or new device fingerprints followed by high-privilege actions. |
| DS0029 | Network Traffic Flow | Detect bulk data transfers shortly after first-time logins, suggesting unauthorized use of valid creds. |
| DS0002 | User Account Authentication | Correlate burst password-reset emails with subsequent successful logins from unfamiliar IPs. |