M1043: Credential Access Protection
Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:
Restrict Access to Credential Storage:
- Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems. - Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as `C:\Windows\System32\config\SAM`.
Use Credential Guard:
- Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping. - Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.
Monitor for Credential Dumping Tools:
- Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor. - Implementation: Flag suspicious process behavior related to credential dumping.
Disable Cached Credentials:
- Use Case: Prevent adversaries from exploiting cached credentials on endpoints. - Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).
Enable Secure Boot and Memory Protections:
- Use Case: Prevent memory-based attacks used to extract credentials. - Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
Analyst context for executives and security teams
Credential Access Protection is a control priority because stolen passwords, hashes, tokens, keys, and Kerberos material can turn one compromised system into broader unauthorized access. For leaders, the value is not a single tool purchase; it is proving that credential stores, memory-resident secrets, cached credentials, and authentication artifacts are hardened and monitored before an incident depends on them.
Executive priority
Prioritize this as an identity and resilience safeguard for environments where credential theft could enable lateral movement, access to restricted information, persistence through LSASS-related changes, or weakening of network-device defenses. Executives should ask whether privileged access to credential stores is restricted, whether endpoint hardening such as Credential Guard and memory protections is deployed where applicable, whether cached credential policy is intentional, and whether SOC teams can produce evidence of suspicious credential-access monitoring for audit and incident response.
Technical view
MITRE provides this as a mitigation, not a detection, and no platforms are specified for the mitigation itself. Relationship context shows it mitigates OS Credential Dumping, LSASS Memory access, LSASS Driver, Kerberos ticket theft/forgery including ccache files, and several network-device defense-impairment techniques. SOC and IR teams should validate controls around Windows SAM and LSASS protection, Kerberos ticket/cache handling on relevant systems, administrative access to credential stores, suspicious credential-dumping process behavior, and change integrity for network-device configurations or images where those related techniques are in scope.
Likely telemetry
- Endpoint process execution and security events related to credential-dumping behavior
- Access attempts to credential stores such as Windows SAM and LSASS-related resources
- Configuration state for Windows Defender Credential Guard, Secure Boot, DEP, ASLR, and cached logon policy where applicable
- Administrative access and privilege-use logs for systems that store or process credentials
- Kerberos authentication and ticket/cache-related evidence on relevant Windows, Linux, or macOS systems
Detection direction
- Because the official detection field is not provided, treat detection coverage as a local validation exercise rather than an ATT&CK-provided analytic.
- Tune monitoring for suspicious credential-related process behavior, especially tools or behaviors associated with credential dumping, while accounting for legitimate security administration and professional testing tools.
- Validate visibility into LSASS access and driver-related changes in Windows environments where related techniques apply.
- Check whether Kerberos ticket and ccache-related telemetry exists for non-Windows systems if Kerberos is used there; this is a common blind spot when identity monitoring is Windows-centric.
- For related network-device techniques, confirm that configuration and image changes are logged and reviewed; endpoint-only monitoring will not cover those relationships.
Mitigation priorities
- Enforce least privilege and restrict administrative access to credential storage locations and mechanisms.
- Enable Credential Guard and other memory protections where supported and operationally appropriate.
- Reduce or disable cached credentials through policy where business operations allow, documenting exceptions.
- Monitor for credential-dumping tools and suspicious credential-access behavior rather than relying only on preventive hardening.
- Enable Secure Boot and hardware or OS memory protections such as DEP and ASLR where applicable.
Analyst notes and limits
This object is best used as a control-assurance checklist for identity security, endpoint hardening, SOC monitoring, and IR readiness. The most useful evidence will come from local configuration baselines, privileged access reviews, endpoint telemetry, authentication logs, and network-device change records.
ATT&CK does not provide an official detection section or a platform list for this mitigation. The relationship set spans Windows, Linux, macOS, and network devices, but applicability must be confirmed against the organization’s actual operating systems, Kerberos usage, credential storage patterns, and device management practices.
Credential Access Protection
Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:
Restrict Access to Credential Storage:
- Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems. - Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as `C:\Windows\System32\config\SAM`.
Use Credential Guard:
- Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping. - Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.
Monitor for Credential Dumping Tools:
- Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor. - Implementation: Flag suspicious process behavior related to credential dumping.
Disable Cached Credentials:
- Use Case: Prevent adversaries from exploiting cached credentials on endpoints. - Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).
Enable Secure Boot and Memory Protections:
- Use Case: Prevent memory-based attacks used to extract credentials. - Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.CitationBrining MimiKatz to Unix |
| Enterprise | T1599.001 | Network Address Translation Traversal Sub-technique | Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. CitationCisco IOS Software Integrity Assurance - AAA |
| Enterprise | T1547.008 | LSASS Driver Sub-technique | On Windows 10 and Server 2016, enable Windows Defender Credential Guard CitationMicrosoft Enable Cred Guard April 2017 to run lsass.exe in an isolated virtualized environment without any device drivers. CitationMicrosoft Credential Guard April 2017 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.CitationTechNet Credential GuardCitationGitHub SHB Credential Guard |
| Enterprise | T1601.001 | Patch System Image Sub-technique | Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. CitationCisco IOS Software Integrity Assurance - Credentials Management |
| Enterprise | T1601.002 | Downgrade System Image Sub-technique | Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. CitationCisco IOS Software Integrity Assurance - Credentials Management |
| Enterprise | T1558.005 | Ccache Files Sub-technique | Protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.CitationBrining MimiKatz to Unix |
| Enterprise | T1601 | Modify System Image | Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. CitationCisco IOS Software Integrity Assurance - Credentials Management |
| Enterprise | T1599 | Network Boundary Bridging | Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations.CitationCisco IOS Software Integrity Assurance - AAA |
| Enterprise | T1003 | OS Credential Dumping | With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. CitationTechNet Credential Guard It also does not protect against all forms of credential dumping. CitationGitHub SHB Credential Guard |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 298be18ad9aa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.