Default Credentials

Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. [1]

Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

ID: T0812
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0031 Unitronics Defacement Campaign

During the Unitronics Defacement Campaign, the CyberAv3ngers discovered and exploited default credentials found on many Unitronics Programmable Logic Controller (PLC) Human-Machine Interface (HMI). For many of these devices, the default password was set to ‘1111’.[2][3]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0801 Access Management

Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.

M0927 Password Policies

Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor logon sessions for default credential use.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for default credential use in protocols that allow unencrypted authentication.

References