Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1198: Analytic 1198

Monitors suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, or browser credential databases. Detects anomalous process-to-process access (e.g., Mimikatz accessing LSASS) and correlation of credential store file reads with execution of non-standard processes.

EnterpriseAN1198AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because suspicious access to Windows password stores is often an early warning that an intruder is trying to turn one compromised account or host into broader enterprise access. For leaders, the decision value is whether the organization can see abnormal access to LSASS, DPAPI, Windows Credential Manager, and browser credential databases before credential theft enables lateral movement, privileged access, or a larger incident.

Executive priority

Prioritize validation of Windows credential-store monitoring where privileged users, administrators, help desk systems, domain-joined workstations, and critical servers are in scope. This supports business continuity and incident response readiness by helping teams answer: which systems expose credential material, which processes are allowed to interact with those stores, and can the SOC distinguish legitimate administrative or security tooling from unusual access patterns. It can also provide useful audit evidence that credential theft monitoring is covered, though the supplied ATT&CK object does not define a specific compliance mapping.

Technical view

For SOC and detection engineering teams, validate visibility for anomalous process-to-process access involving credential stores, especially access to LSASS and reads of DPAPI, Windows Credential Manager, or browser credential database files by non-standard processes. The object is Windows-specific and provides no tactic, relationship, or formal detection logic, so implementation should be based on locally approved process baselines, known administrative/security tooling, and alert correlation between process execution and credential-store file or memory access.

Likely telemetry

  • Windows process creation events with command line, parent process, user, host, and signing metadata where available
  • Process-to-process access telemetry, especially access to LSASS or other credential-related processes
  • File access telemetry for DPAPI, Windows Credential Manager, and browser credential database locations
  • Endpoint detection and response alerts or sensor events related to credential store access
  • User and host context for whether the accessing process is expected on that system

Detection direction

  • Baseline legitimate tools and security products that access LSASS or credential-related files to reduce false positives.
  • Alert on non-standard or newly observed processes accessing LSASS, DPAPI, Windows Credential Manager, or browser credential stores.
  • Correlate credential-store file reads with process execution context rather than relying on file access alone.
  • Tune by host role and user role; activity that may be expected on a forensic workstation or security tool host may be unusual on a user workstation.
  • Validate blind spots where endpoint telemetry does not capture process access rights, file reads, or browser credential database access.

Mitigation priorities

  • Reduce unnecessary local credential exposure on Windows systems where feasible.
  • Limit administrative privileges and interactive logons on endpoints and servers that do not require them.
  • Harden and monitor systems used by privileged users because credential-store access on those hosts carries higher business risk.
  • Ensure endpoint logging and EDR coverage are deployed to Windows systems in scope before relying on this analytic for SOC coverage.
  • Use incident response playbooks that treat suspicious credential-store access as a potential credential compromise requiring account, host, and lateral movement review.
Analyst notes and limits

The supplied object is a detection analytic, AN1198, for Windows monitoring of suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, and browser credential databases. There are no supplied relationships, tactic mappings, labels, aliases, or official detection logic, so the take focuses on defensive validation and operational decision value rather than asserting specific adversary behavior or coverage.

Assessment is limited to the official STIX fields and the single external reference provided. No active exploitation, attribution, specific technique relationships, detection rule syntax, or guaranteed coverage can be inferred. Local baselines, endpoint telemetry quality, and approved administrative/security tooling determine whether this analytic is practical and reliable in a given environment.

Official MITRE ATT&CK definition

Analytic 1198

Monitors suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, or browser credential databases. Detects anomalous process-to-process access (e.g., Mimikatz accessing LSASS) and correlation of credential store file reads with execution of non-standard processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bc92c5d00007c0cf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bc92c5d00007…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1198
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use