Skip to content

M1043 Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

Item Value
ID M1043
Version 1.1
Created 11 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.008 LSASS Driver On Windows 10 and Server 2016, enable Windows Defender Credential Guard 1 to run lsass.exe in an isolated virtualized environment without any device drivers. 2
enterprise T1601 Modify System Image Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. 4
enterprise T1601.001 Patch System Image Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. 4
enterprise T1601.002 Downgrade System Image Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. 4
enterprise T1599 Network Boundary Bridging Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations.3
enterprise T1599.001 Network Address Translation Traversal Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. 3
enterprise T1003 OS Credential Dumping With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. 5 It also does not protect against all forms of credential dumping. 6
enterprise T1003.001 LSASS Memory With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.56

References

Back to top