Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:
Restrict Access to Credential Storage:
C:\Windows\System32\config\SAM
.Use Credential Guard:
Monitor for Credential Dumping Tools:
Disable Cached Credentials:
Enable Secure Boot and Memory Protections:
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .008 | Boot or Logon Autostart Execution: LSASS Driver |
On Windows 10 and Server 2016, enable Windows Defender Credential Guard [1] to run lsass.exe in an isolated virtualized environment without any device drivers. [2] |
Enterprise | T1601 | Modify System Image |
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [3] |
|
.001 | Patch System Image |
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [3] |
||
.002 | Downgrade System Image |
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [3] |
||
Enterprise | T1599 | Network Boundary Bridging |
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations.[4] |
|
.001 | Network Address Translation Traversal |
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [4] |
||
Enterprise | T1003 | OS Credential Dumping |
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. [5] It also does not protect against all forms of credential dumping. [6] |
|
.001 | LSASS Memory |
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[5][6] |
||
Enterprise | T1558 | Steal or Forge Kerberos Tickets |
On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[7] |
|
.005 | Ccache Files |
Protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[7] |