This site has been deprecated in favor of and will remain in place until 11/1/22.

Default Credentials

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Default Credentials
ID T0812
Tactic Lateral Movement
Data Sources Network Traffic: Network Traffic Content, Logon Session: Logon Session Creation
Asset Human-Machine Interface, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay, Control Server, Engineering Workstation


Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.1

Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

Procedure Examples

  • Stuxnet uses a default password hardcoded the WinCC software's database server as one of the mechanisms used to propagate to nearby systems.2


  • Access Management - Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.
  • Password Policies - Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices