DET0560: Detection of Valid Account Abuse Across Platforms
DET0560 is a detection strategy for abuse of valid accounts across platforms. Its business significance is that credential misuse can look like normal user...
Analyst context for executives and security teams
DET0560 is a detection strategy for abuse of valid accounts across platforms. Its business significance is that credential misuse can look like normal user activity, so resilience depends less on a single alert and more on whether identity, cloud, infrastructure, and SOC teams can prove who accessed what, from where, and whether that behavior was expected.
Executive priority
Prioritize this as an identity and incident-readiness control area. The related ATT&CK technique, Valid Accounts (T1078), is associated with initial access, persistence, privilege escalation, and stealth, which means weak visibility into legitimate account use can delay containment decisions and complicate audit evidence. Leaders should ask whether high-value accounts, externally reachable services, identity providers, IaaS, containers, and ESXi-related access paths are logged, monitored, and reviewable during an incident.
Technical view
Because the official detection text and platforms for DET0560 are not provided, teams should anchor validation on the related technique context: T1078 Valid Accounts across Containers, ESXi, IaaS, and Identity Provider environments. SOC and detection engineers should test whether account authentication, session creation, privilege use, remote access, and administrative actions can be correlated across identity and platform logs. IR teams should confirm they can reconstruct account activity timelines and distinguish expected administrator, service account, and workload behavior from anomalous use.
Likely telemetry
- Identity provider authentication and sign-in logs
- Administrative login and session records
- IaaS control-plane audit logs
- Container platform access and authorization logs
- ESXi or virtualization management authentication and administrative logs
Detection direction
- Validate cross-platform correlation for the same account, source, device, and session rather than relying on isolated login events.
- Tune for unusual access patterns such as new locations, new infrastructure targets, abnormal hours, unexpected privilege use, or access to externally available services, while accounting for legitimate administrator and service account behavior.
- Confirm coverage for the related T1078 tactic areas: initial access, persistence, privilege escalation, and stealth-oriented use of legitimate credentials.
- Review blind spots where logs are absent, short-retained, not centralized, or not normalized across identity provider, cloud, container, and virtualization environments.
- Use relationship context carefully: DET0560 itself has no official detection narrative in the supplied fields, so local detection logic must be validated against the organization’s own account models and platforms.
Mitigation priorities
- Inventory critical human, service, administrative, cloud, and infrastructure accounts and define expected usage patterns.
- Strengthen identity controls for high-risk accounts, including least privilege, access review, and strong authentication where applicable.
- Centralize and retain authentication, authorization, and administrative activity logs from identity and platform control planes.
- Establish incident response procedures for rapid account disablement, credential rotation, session revocation, and privilege review.
- Use detection validation exercises to confirm that SOC teams can investigate suspected valid account abuse across identity, cloud, container, and virtualization evidence sources.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no explicit platforms or tactics. The practical guidance is therefore derived from its external reference and its relationship to T1078 Valid Accounts, including the related technique’s tactics and platforms.
This take does not assert active exploitation, specific adversary behavior, or guaranteed detection coverage. Environment-specific telemetry, account architecture, retention, and identity controls are required to determine actual defensive readiness.
Detection of Valid Account Abuse Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078 | Valid Accounts | This object detects Valid Accounts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 701b7ec2b6c9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0560Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.