- Tactics
- Credential Access
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1555.005
Description
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Credential Access tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1040 — Network Sniffing
- T1056 — Input Capture
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1187 — Forced Authentication
- T1212 — Exploitation for Credential Access
- T1528 — Steal Application Access Token
- T1539 — Steal Web Session Cookie
- T1552 — Unsecured Credentials
- T1555 — Credentials from Password Stores
- T1556 — Modify Authentication Process