Default Accounts
Default accounts represent a critical vulnerability within the "Gain Access" phase, specifically under the "Valid Accounts" technique. These are pre-configured user accounts established by system vendors or developers with predefined credentials that are often well-documented in manuals or widely known across the internet. Adversaries actively target these accounts because they frequently remain unchanged in production environments due to oversight, insufficient security policies, or inadequate implementation of security controls. By leveraging default accounts in critical systems like network devices, databases, web applications, or IoT devices, attackers can establish initial access with legitimate credentials that may possess elevated privileges. This eliminates the need for exploitation of technical vulnerabilities and significantly reduces the likelihood of detection since the activity appears as legitimate authentication. The compromise of default accounts is particularly dangerous when these accounts possess administrative privileges, potentially allowing attackers to immediately move laterally, escalate privileges, or deploy persistence mechanisms deeper within the network.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Disable or rename default admin accounts immediately after deployment. |
| M1027 | Password Policies | Enforce strong random passwords and rotate them before production exposure. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Authentication Log | Alert on successful logins using vendor-default usernames (admin/admin, root/toor). |
| DS0029 | Network Traffic Flow | Detect repeated authentication attempts cycling through well-known default credential pairs. |