Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0724: Detection of Valid Accounts

DET0724 is a MITRE ATT&CK for ICS detection strategy for identifying use of Valid Accounts (T0859). Its business significance is that credential misuse can...

ICSDET0724Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0724 is a MITRE ATT&CK for ICS detection strategy for identifying use of Valid Accounts (T0859). Its business significance is that credential misuse can look like normal access while still enabling bypass of controls, persistence on remote systems, and increased privilege to control-system assets. For leaders, this is a reminder that ICS resilience depends not only on perimeter controls, but on knowing which user, service, and default credentials can reach operational resources and whether that access is monitored well enough to support incident decisions.

Executive priority

Prioritize this as an identity and operational-resilience risk area for ICS environments. Executives and risk owners should ask whether default and service credentials are known, governed, rotated, and monitored; whether access to control-system devices and remote systems can be reviewed quickly during an incident; and whether audit evidence exists to show that account use is controlled. Because the ATT&CK object provides no specific detection logic or platforms, investment decisions should focus on validating local telemetry and control coverage rather than assuming a standard rule is sufficient.

Technical view

SOC, detection engineering, and IR teams should treat this strategy as a coverage validation exercise for T0859 Valid Accounts in ICS. Confirm that monitoring can distinguish expected account use from suspicious use of user, service, compromised, or default credentials across hosts, network resources, remote systems, and control-system devices where applicable. Since MITRE provides no official detection text for DET0724, teams should derive analytics from local identity baselines, authorized access paths, account inventories, and known device credential practices, with particular attention to accounts that can bypass access controls or provide persistent remote access.

Likely telemetry

  • Authentication and authorization logs for user and service accounts
  • Account inventory and ownership records, including service and default credential tracking
  • Remote access logs for systems that can reach ICS resources
  • Host and network access logs showing account-based access to protected resources
  • Control-system device access records where available

Detection direction

  • Validate whether telemetry exists for the accounts and systems that matter most in the ICS environment; the ATT&CK object does not specify platforms or detection logic.
  • Baseline normal account use by user, service account, source location, destination resource, time, and privilege level, then tune for deviations that may indicate credential misuse.
  • Review default and shared credential use carefully; legitimate maintenance activity can create false positives, but unmanaged defaults are a material blind spot for T0859.
  • Correlate identity activity with remote access and resource access events so investigators can determine whether a valid login also resulted in access to sensitive hosts, network resources, or control-system devices.
  • Ensure IR workflows can quickly answer which accounts were used, what resources they reached, and whether those credentials could provide persistence or increased privilege.

Mitigation priorities

  • Maintain an authoritative inventory of user, service, shared, and default credentials that can access ICS-related resources.
  • Remove or change default credentials where feasible and govern exceptions with documented compensating controls.
  • Limit account privileges and remote access paths to what is operationally required, especially for accounts that can reach control-system devices or remote systems.
  • Implement routine credential review, rotation, and access recertification for accounts with access to critical operational resources.
  • Test incident response procedures for credential misuse scenarios, including rapid account disablement, credential rotation, and evidence collection.
Analyst notes and limits

This take is based on the ATT&CK detection strategy DET0724 and its relationship to ICS technique T0859 Valid Accounts. The related technique text supports the focus on stolen credentials, default credentials, bypassing access controls, persistent remote access, and increased privilege. Because the detection strategy itself has no official description, detection text, tactics, platforms, or labels, recommendations are framed as validation directions rather than MITRE-provided analytics.

The supplied ATT&CK fields are sparse. No specific platforms, data sources, detection procedures, mitigations, vendors, or active exploitation details are provided. Local architecture, identity sources, remote access design, and ICS device logging capabilities are required to determine actual coverage and priority.

Official MITRE ATT&CK definition

Detection of Valid Accounts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0859 Valid Accounts This object detects Valid Accounts.
Relationship explorer

All related ATT&CK context

detects · Technique T0859: Valid Accounts ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fa9992702d14a6fe...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fa9992702d14…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0724
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use