Valid Accounts
Why this is removed
Valid Accounts fails the criteria for a technique. It defines no event — it describes a resource (valid credentials) that an attacker possesses, not an action that occurs on a system. Attackers cannot choose to avoid it — any use of a victim system involves valid accounts by definition. No ontological definition is possible because there is no artifact modification to describe, which means no detection rule can be written against the technique itself. Teams currently use it as a whitelist bucket, which underlines its dissimilarity from the rest of the framework. The access type (compromised credential, default credential, etc.) should be modelled as a precondition on the techniques that follow.
Seen in the wild2reports▼
Threat actors hold verified admin credentials for 30,000–75,000 FortiGate devices after cracking SHA-256 password hashes from previously exfiltrated configuration files — illustrating why Valid Accounts describes a precondition, not a technique.
OAuth device code flow grants the attacker persistent M365 tokens without a password or MFA — the session is valid from the platform's perspective, demonstrating T1078's precondition role.