T1078Valid Accounts
T1078 — Valid Accounts is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 83 detection use cases covering it and 23 threat-intel articles citing it.
Defense EvasionPersistencePrivilege EscalationInitial Access
83Use cases
23Articles
4Sub-techniques
4Tactics
Sub-techniques (4)
Use cases covering this technique (83)
1Password impossible-travel sign-in Atlassian administrator impersonating user Auth0 anomalous attack-protection event spike AWS Console login without MFA + impossible travel Credential-stuffing attack on application GitHub branch protection disabled with force-push bypass GitLab password reset from suspicious IP Impossible travel from application business-logic event [WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Cisco IOS XE WebUI Login From IOSd Local Port Cisco IOS XE WebUI Programmatic Configuration ESXi Account Modified ESXi External Root Login Activity ESXi Shared or Stolen Root Account ESXi User Granted Admin Role M365 Copilot Application Usage Pattern Anomalies M365 Copilot Session Origin Anomalies Okta Risk Threshold Exceeded PingID Multiple Failed MFA Requests For User Zoom High Video Latency ASL AWS SAML Update identity provider AWS Bedrock Invoke Model Access Denied AWS SAML Update identity provider Azure AD Multiple AppIDs and UserAgents Authentication Spike Cloud API Calls From Previously Unseen User Roles Cloud Provisioning Activity From Previously Unseen City Cloud Provisioning Activity From Previously Unseen Country Cloud Provisioning Activity From Previously Unseen IP Address Cloud Provisioning Activity From Previously Unseen Region GCP Detect gcploit framework Geographic Improbable Location O365 Multiple AppIDs and UserAgents Authentication Spike Okta Non-Standard VPN Usage Unusual Number of Computer Service Tickets Requested Unusual Number of Remote Endpoint Authentication Events Windows Azure PowerShell Module Installation Via PowerShell Script Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Windows Large Number of Computer Service Tickets Requested Windows Multiple Account Passwords Changed Windows Multiple Accounts Deleted Windows Multiple Accounts Disabled Cisco IOS Suspicious Privileged Account Creation Cisco Privileged Account Creation with HTTP Command Execution Cisco Privileged Account Creation with Suspicious SSH Activity Cisco Secure Firewall - High Priority Intrusion Classification ASL AWS CreateAccessKey aws detect attach to role policy aws detect permanent key creation aws detect role creation aws detect sts assume role abuse AWS SAML Access by Provider User and Principal GCP Detect accounts with high risk roles by project GCP Detect high risk permissions by resource and account gcp detect oauth token abuse Web Fraud - Anomalous User Clickspeed [LLM] First successful FortiGate admin/SSL-VPN login from never-seen ASN after failure burst [LLM] Ivanti Sentry unauthenticated admin account creation (CVE-2026-10523) [LLM] SAP NetWeaver SAML XML signature wrapping anomaly (CVE-2026-44748) [LLM] Admin / privileged API call without a preceding SUCCESSFUL login (JWT forgery indicator) [LLM] Anomalous Host header to LiteLLM (Starlette CVE-2026-48710 BadHost bypass) [LLM] pfSense / firewall config change enabling Web SSL VPN after admin login [LLM] DbGate exploit chain: anonymous /auth/login + /api/archive/unzip POSTs from same source (CVE-2026-47669) [LLM] GitHub bulk git tag force-push by single actor across multiple org repos [LLM] praisonai-platform: identity-swap chain — owner grant followed by login from the granted account [LLM] praisonai-platform cross-tenant workspace operations from single source IP [LLM] PraisonAI Platform member role mutation endpoint hit (CVE-2026-47407 privilege escalation) [LLM] PraisonAI Platform open-registration burst followed by workspace privileged action [LLM] Yamcs MDB algorithm PATCH with embedded Jython java.lang.Runtime payload (CVE-2026-46621) [LLM] Nezha CVE-2026-46716 exploit: POST /api/v1/cron with empty servers + CronCoverAll [LLM] YesWiki Bazar form-import volumetric POST — CVE-2026-46670 blind SQLi extraction loop [LLM] HAXcms CVE-2026-46395: forged-JWT admin write within 30m of connectionSettings leak [LLM] phpMyFAQ 2FA bypass success: /admin/check brute burst followed by authenticated /admin/ access [LLM] MCPHub SSE endpoint accessed with arbitrary username in URL path (CVE-2025/GHSA-wf8q-wvv8-p8jf hunt) [LLM] MCPHub identity spoofing — admin-themed username in /<user>/sse path [LLM] MCPHub SSE user-segment fan-out — single source spawning sessions under multiple usernames [LLM] MCPHub tool execution via spoofed identity — POST to /<user>/messages with JSON-RPC body [LLM] Strapi CVE-2026-27886 admin takeover — exploit burst followed by `/admin/reset-password` POST [LLM] tj-actions/changed-files compromised commit SHA referenced in workflow YAML or git history [LLM] Sha1-Hulud npm Worm — Self-Hosted GitHub Actions Runner Registration with Name 'SHA1HULUD' [LLM] Internal workflows pulling aws-actions/configure-aws-credentials@v4.3.0 during the buggy-release window [LLM] Next.js CVE-2025-29927 middleware bypass via x-middleware-subrequest header [LLM] Git checkout of compromised tj-actions/changed-files commit on runner hostArticles citing this technique (23)
crit [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Implementation art-261