Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.[1][2][3]
Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management |
Ensure embedded controls and network devices are protected through access management, as these devices often have insecure credentials which could be used to gain unauthorized access. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0905 | Detection of Insecure Credentials | AN2048 |
Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication. Monitor logon sessions for insecure credential use, when feasible. |