1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores
  5. Password Managers

Credentials from Password Stores: Password Managers

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers
T1555.006 Cloud Secrets Management Stores

Adversaries may acquire user credentials from third-party password managers.[1] Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.[1]

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.[2][3] Adversaries may extract credentials from memory via Exploitation for Credential Access.[4] Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.[5]

ID: T1555.005
Sub-technique of:  T1555
Tactic: Credential Access
Platforms: Linux, Windows, macOS
Contributors: Matt Burrough, @mattburrough, Microsoft
Version: 1.1
Created: 22 January 2021
Last Modified: 19 August 2024
Version Permalink

Procedure Examples

ID Name Description
G0117 Fox Kitten

Fox Kitten has used scripts to access credential information from the KeePass database.[6]
G0119 Indrik Spider

Indrik Spider has accessed and exported passwords from password managers.[7]
G1004 LAPSUS$

LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.[8]
S0652 MarkiRAT

MarkiRAT can gather information from the Keepass password manager.[9]

C0014 Operation Wocao

During Operation Wocao, threat actors accessed and collected credentials from password managers.[2]
S0279 Proton

Proton gathers credentials in files for 1password.[10]
G0027 Threat Group-3390

Threat Group-3390 obtained a KeePass database from a compromised host.[11]
S0266 TrickBot

TrickBot can steal passwords from the KeePass open source password manager.[5]

Mitigations

ID Mitigation Description
M1027 Password Policies

Refer to NIST guidelines when creating password policies for master passwords.[12]
M1054 Software Configuration

Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
M1051 Update Software

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
M1018 User Account Management

Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.
M1017 User Training

Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may acquire user credentials from third-party password managers. [1]

Analytic 1 - Commands indicating credential searches in password managers.

index=security sourcetype IN ("linux_secure", "macos_secure")(CommandLine IN ("keepass", "lastpass", "1password", "bitwarden", "dashlane", "passwordsafe", "login", "vault"))
DS0022 File File Access

Monitor file reads that may acquire user credentials from third-party password managers.[1]

Analytic 1 - Unauthorized access to password manager files.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 4663)(file_path IN ("\AppData\Local\Keepass\.kdbx", "\AppData\Local\LastPass\.lpvault", "\AppData\Local\1Password\.agilekeychain", "\AppData\Local\Bitwarden\.json", "\AppData\Local\Dashlane\.db", "\AppData\Local\PasswordSafe\.psafe3", "/home//.keepass/.kdbx", "/home//.lastpass/.lpvault", "/home//.1password/.agilekeychain", "/home//.bitwarden/.json", "/home//.dashlane/.db", "/home//.passwordsafe/.psafe3"))
DS0009 Process OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.

Analytic 1 - Suspicious API calls related to password manager access.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 11, 4688)(api IN ("CryptUnprotectData", "OpenProcess", "ReadProcessMemory", "EnumProcesses", "EnumProcessModules") OR CommandLine IN ("keepass", "lastpass", "1password", "bitwarden", "dashlane", "passwordsafe"))

Process Access

Monitor process being accessed that may acquire user credentials from third-party password managers.[1]

Analytic 1 - Unauthorized process access indicating credential searches in password managers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 10, 11)(Image IN ("keepass", "lastpass", "1password", "bitwarden", "dashlane", "passwordsafe") OR TargetImage IN ("keepass", "lastpass", "1password", "bitwarden", "dashlane", "passwordsafe"))

References

  1. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  3. Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.
  4. National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.
  5. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  6. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  1. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  2. Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
  3. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  4. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  5. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  6. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.