Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

ID: M1043
Version: 1.1
Created: 11 June 2019
Last Modified: 31 March 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .008 Boot or Logon Autostart Execution: LSASS Driver

On Windows 10 and Server 2016, enable Windows Defender Credential Guard [3] to run lsass.exe in an isolated virtualized environment without any device drivers. [4]

Enterprise T1003 OS Credential Dumping

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. [1] It also does not protect against all forms of credential dumping. [2]

.001 LSASS Memory

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[1][2]

References