Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0771: Detection of Change Credential

DET0771 is an ATT&CK detection strategy for identifying Change Credential behavior in ICS environments. The business significance is access resilience: if...

ICSDET0771Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0771 is an ATT&CK detection strategy for identifying Change Credential behavior in ICS environments. The business significance is access resilience: if device or software credentials are changed by an adversary, operators and responders may lose the ability to manage equipment, perform configuration actions, or recover without disruptive actions such as reset or hardware replacement. Because MITRE provides no detailed detection text for this strategy, organizations should treat it as a prompt to validate whether credential and configuration changes on critical operational assets are visible, authorized, and recoverable.

Executive priority

Prioritize this as an operational continuity and incident response readiness issue, not only an authentication issue. Leaders should ask whether critical ICS devices and software have controlled credential management, documented recovery paths, evidence of authorized changes, and monitoring that can distinguish approved maintenance from unexpected credential changes. The main decision value is confirming that a credential change cannot silently remove operator or responder access during an incident.

Technical view

This detection strategy is linked to ICS technique T0892, Change Credential. SOC, OT security, and IR teams should validate visibility into credential or access-control changes on ICS software and device management interfaces, especially where vendor-provided credentials or built-in management access are used. Because the ATT&CK object does not specify platforms, tactics, or detection logic, teams should map local asset types and management paths first, then confirm which systems produce logs or configuration records for password changes, account additions, failed administrative access after a change, and recovery actions.

Likely telemetry

  • ICS device and software account-management or authentication logs where available
  • Management interface access logs for administrative sessions and credential-change events
  • Configuration change records, device backups, or baseline comparisons showing access-control changes
  • Operator and responder access failures that occur after a credential or configuration change
  • Maintenance tickets, change approvals, and privileged access records for correlation with observed changes

Detection direction

  • Correlate observed credential or account changes with approved maintenance windows, change tickets, and named responsible personnel.
  • Prioritize alerting for credential changes on critical devices or software where loss of access would delay operations or incident response.
  • Validate whether built-in, vendor-provided, or hardcoded credential paths are inventoried and monitored where applicable.
  • Tune detections to reduce false positives from planned maintenance while preserving visibility into emergency, out-of-window, or undocumented changes.
  • Test detection coverage against local logging reality, since MITRE does not provide platform-specific telemetry or analytic logic for DET0771.

Mitigation priorities

  • Establish clear ownership, approval, and documentation for credential changes on ICS devices and software.
  • Maintain recoverable configuration and credential-management procedures for critical assets, including response paths when administrative access is lost.
  • Restrict and monitor privileged access to management interfaces that can change device or software credentials.
  • Inventory vendor-provided or built-in credential mechanisms and validate whether they can be governed, logged, rotated, or otherwise controlled.
  • Align SOC, OT operations, and incident response playbooks so unexpected credential changes trigger both security investigation and operational recovery assessment.
Analyst notes and limits

The ATT&CK detection strategy record is sparse: it has an external ID and relationship to T0892 but no official description, detection text, tactics, platforms, or aliases. The practical interpretation therefore comes from the related Change Credential technique description, which emphasizes adversary modification of software or device credentials to block operator and responder access.

This take does not assert active exploitation, specific affected platforms, vendor behavior, or guaranteed detection coverage. Local ICS architecture, logging capabilities, credential-management practices, and recovery procedures are required to determine actual risk and detection feasibility.

Official MITRE ATT&CK definition

Detection of Change Credential

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0892 Change Credential This object detects Change Credential.
Relationship explorer

All related ATT&CK context

detects · Technique T0892: Change Credential ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8916d4bdb161ce03...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8916d4bdb161…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0771
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use