1. Home
  2. Mitigations
  3. Credential Access Protection

Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

ID: M1043
Version: 1.1
Created: 11 June 2019
Last Modified: 17 October 2024
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1601 修改系统镜像

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [1]
.001 Patch System Image

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [1]
.002 Downgrade System Image

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [1]
Enterprise T1547 .008 启动或登录自动启动执行: LSASS Driver

On Windows 10 and Server 2016, enable Windows Defender Credential Guard [2] to run lsass.exe in an isolated virtualized environment without any device drivers. [3]
Enterprise T1003 操作系统凭证转储

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. [4] It also does not protect against all forms of credential dumping. [5]
.001 LSASS Memory

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[4][5]
Enterprise T1558 窃取或伪造Kerberos票据

On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[6]

.005 Ccache Files

Protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[6]

Enterprise T1599 网络边界桥接

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations.[7]
.001 Network Address Translation Traversal

Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. [7]

References

  1. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Credentials Management. Retrieved October 19, 2020.
  2. Lich, B., Tobin, J., Hall, J. (2017, April 5). Manage Windows Defender Credential Guard. Retrieved November 27, 2017.
  3. Lich, B., Tobin, J. (2017, April 5). How Windows Defender Credential Guard works. Retrieved November 27, 2017.
  4. Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.
  1. NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.
  2. Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
  3. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020.