AN1888: Analytic 1888
Monitor network traffic for default credential use in protocols that allow unencrypted authentication. Monitor logon sessions for default credential use.
Analyst context for executives and security teams
This analytic matters because default credentials are a basic but high-consequence control failure, especially in ICS environments where operational availability and safety can depend on trusted access paths. The ATT&CK object focuses on finding default credential use in two places: network traffic where authentication is unencrypted, and logon session records. For leaders, the decision value is whether the organization can prove default credentials are not being used, or at least can detect when they are.
Executive priority
Prioritize this as an evidence and resilience question: can security, operations, and audit teams demonstrate that default credentials are removed or detected across relevant systems? Because the object is in the ICS ATT&CK domain, unresolved default credential use may affect operational continuity and incident response confidence. It should inform control validation, credential governance, and logging requirements, but the supplied object does not specify platforms, tactics, or active threat use.
Technical view
SOC and detection teams should validate whether they can observe authentication attempts that use known default usernames or credentials, particularly where protocols allow unencrypted authentication. IR teams should confirm that logon session records can be reviewed for default credential indicators during investigations. Because no platforms, tactics, relationships, or official detection logic are supplied, implementation must be adapted to local assets, protocols, identity sources, and log formats.
Likely telemetry
- Network traffic containing authentication exchanges for protocols that allow unencrypted authentication
- Logon session records
- Authentication logs where usernames, source systems, destination systems, and outcomes are recorded
- Asset and account inventories that identify default, factory, shared, or vendor-provided credentials
Detection direction
- Validate whether network monitoring can identify unencrypted authentication attempts and compare observed usernames or credential patterns against an approved default-credential watchlist.
- Correlate logon session activity with asset inventories to identify use of accounts that should not exist, should have been changed, or should be disabled.
- Tune carefully to distinguish legitimate vendor, maintenance, commissioning, or break-glass activity from unauthorized or policy-violating default credential use.
- Identify blind spots where authentication is not logged, network traffic is not visible, credentials are encrypted before inspection, or ICS/operations networks are not centrally monitored.
Mitigation priorities
- Inventory systems and accounts where default credentials may exist, prioritizing operationally critical and remotely reachable assets.
- Change or disable default credentials according to operational change-control requirements.
- Require accountable, unique credentials for routine access and document any temporary exceptions.
- Improve logging and retention for logon sessions and authentication events so default credential use can be investigated.
- Use the analytic as a validation control: detection should confirm whether credential hygiene controls are actually working.
Analyst notes and limits
The strongest use of this analytic is as a control-assurance test: it helps determine whether default credential risk is observable, not merely prohibited by policy. In ICS settings, coordinate with operations teams before changing credentials or monitoring sensitive protocols, because asset availability and maintenance workflows may be affected.
The supplied ATT&CK object is sparse: no platforms, tactics, relationships, or official detection logic are provided. This summary is limited to the official description and external reference. Local protocol use, asset inventory, logging coverage, and credential policy evidence are required before assessing actual exposure or detection coverage.
Analytic 1888
Monitor network traffic for default credential use in protocols that allow unencrypted authentication. Monitor logon sessions for default credential use.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7b76be69ab21… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1888Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.