Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0756: Detection of Default Credentials

DET0756 is a detection strategy entry for identifying use of default credentials in ICS environments. Its business significance is straightforward: default...

ICSDET0756Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0756 is a detection strategy entry for identifying use of default credentials in ICS environments. Its business significance is straightforward: default manufacturer or supplier accounts can provide administrative access to control system devices if they are not changed, cannot be changed, or are not governed. For leaders, this is less about a single alert and more about whether the organization can prove that critical operational technology assets are inventoried, credentialed appropriately, monitored, and exception-managed.

Executive priority

Treat this as a control-assurance and operational-resilience issue. Security and operations leaders should ask whether ICS assets still rely on manufacturer or supplier defaults, whether any unavoidable default credentials are documented as accepted risk, and whether monitoring can show attempted or successful use of those credentials. This supports vulnerability prioritization, audit evidence, incident response readiness, and cyber-physical risk governance where control system access could affect operations.

Technical view

MITRE provides no platform, tactic, description, or detection logic for DET0756, but the relationship states that it detects T1694.001 Default Credentials in the ICS domain. SOC, detection engineering, and IR teams should validate coverage by mapping known default usernames or accounts for control system devices against authentication evidence, asset inventory, configuration records, and any remote-management or device-access logs available in the local environment. Detection should distinguish between expected commissioning/maintenance activity and suspicious use on operational assets.

Likely telemetry

  • ICS asset inventory and device configuration records
  • Authentication logs from control system devices where available
  • Remote access, management interface, or administrative session logs
  • Credential vault, password rotation, or account governance records
  • Change management and commissioning records for newly deployed or serviced devices

Detection direction

  • Build detection requirements from the local inventory of ICS devices and their known manufacturer or supplier default accounts; MITRE does not provide a detection analytic for this object.
  • Validate whether logs capture both successful and failed authentication attempts to control system devices; lack of device-level authentication telemetry is a major blind spot.
  • Tune for context: default credential use during initial configuration or approved maintenance may be legitimate, while use on operational devices after commissioning should receive higher scrutiny.
  • Correlate authentication events with asset criticality, change tickets, maintenance windows, and source location to reduce false positives.
  • Track exceptions for devices whose default usernames or passwords cannot be changed, and monitor compensating controls around those assets.

Mitigation priorities

  • Prioritize inventory of ICS devices and identification of any manufacturer or supplier default accounts.
  • Change default passwords as soon as operationally feasible, where the device supports it and change control permits.
  • For defaults that cannot be changed, document the exception, restrict access paths, and increase monitoring around the affected devices.
  • Integrate credential checks into commissioning, maintenance, vulnerability management, and compliance evidence processes.
  • Ensure incident response playbooks include steps to review default-account usage during suspected ICS access events.
Analyst notes and limits

The ATT&CK object is a detection strategy in the ICS domain and is related to T1694.001 Default Credentials. The strongest decision value is in using it as a validation prompt: can the organization prove that default credentials are removed, controlled, or monitored on control system assets? Local asset inventories, device capabilities, and operational change constraints will determine what good coverage looks like.

The supplied ATT&CK fields do not include an official description, detection text, tactics, platforms, or analytic detail for DET0756. The related technique description is partially supplied and supports only conservative statements about manufacturer or supplier default credentials on control system devices. No active exploitation, attribution, affected products, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Default Credentials

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T1694.001 Default Credentials Sub-technique This object detects Default Credentials.
Relationship explorer

All related ATT&CK context

detects · Technique T1694.001: Default Credentials ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a01be24b0354d63e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a01be24b0354…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0756
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use