1. Home
  2. Techniques
  3. Enterprise
  4. Valid Accounts
  5. Default Accounts

Valid Accounts: Default Accounts

ID Name
T1078.001 Default Accounts
T1078.002 Domain Accounts
T1078.003 Local Accounts
T1078.004 Cloud Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.[1][2][3]

Default accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.[4]

Default accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called vpxuser is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via Exploitation for Credential Access on the vCenter host), they will then have access to the ESXi server.[5][6]

ID: T1078.001
Sub-technique of:  T1078
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, Network Devices, Office Suite, SaaS, Windows, macOS
Contributors: Janantha Marasinghe
Version: 1.5
Created: 13 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1003 Ember Bear

Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.[7]
G1016 FIN13

FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.[8]
C0038 HomeLand Justice

During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[9]
S0537 HyperStack

HyperStack can use default credentials to connect to IPC$ shares on remote machines.[10]
G0059 Magic Hound

Magic Hound enabled and used the default system managed account, DefaultAccount, via "powershell.exe" /c net user DefaultAccount /active:yes to connect to a targeted Exchange server over RDP.[11]
S0603 Stuxnet

Stuxnet infected WinCC machines via a hardcoded database server password.[12]
G1048 UNC3886

UNC3886 has harvested and used vCenter Server service accounts.[5]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Implement multi-factor authentication (MFA) for default accounts whenever possible to prevent unauthorized access, even if credentials for these accounts are compromised. MFA adds an additional layer of security that requires more than just a username and password, making it significantly harder for adversaries to exploit these accounts for initial access or lateral movement.
M1027 Password Policies

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. [13]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0465 Detection of Default Account Abuse Across Platforms AN1283

Detection of default account usage such as Guest or Administrator performing interactive or remote logons on systems outside of installation or maintenance windows.
AN1284

Monitoring for SSH logins from default accounts such as 'root', especially when login is via password and not key-based authentication.
AN1285

Use of known default service accounts or root-level cloud accounts performing authentication or changes to IAM policy.
AN1286

Abuse of system-generated or default privileged accounts such as 'root' or 'vpxuser' logging into ESXi hosts.
AN1287

Login activity from default admin credentials (e.g., 'admin', 'cisco') on routers, firewalls, and switches.

References

  1. Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.
  2. Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.
  3. Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.
  4. undefined. (n.d.). Retrieved April 12, 2019.
  5. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  6. Yuval Lazar. (2022, March 29). Mitigating VMware vCenter Information Disclosure. Retrieved March 26, 2025.
  7. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  1. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  2. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  3. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  4. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  5. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  6. US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019.