Credentials from Password Stores: Password Managers

Adversaries may acquire user credentials from third-party password managers.[1] Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.[1]

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.[2][3] Adversaries may extract credentials from memory via Exploitation for Credential Access.[4] Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.[5]

ID: T1555.005
Sub-technique of:  T1555
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Access
Contributors: Matt Burrough, @mattburrough, Microsoft
Version: 1.0
Created: 22 January 2021
Last Modified: 14 April 2021

Procedure Examples

ID Name Description
G0117 Fox Kitten

Fox Kitten has used scripts to access credential information from the KeePass database.[6]

G0116 Operation Wocao

Operation Wocao has accessed and collected credentials from password managers.[2]

S0279 Proton

Proton gathers credentials in files for 1password.[7]

S0266 TrickBot

TrickBot can steal passwords from the KeePass open source password manager.[5]

Mitigations

ID Mitigation Description
M1027 Password Policies

Refer to NIST guidelines when creating password policies for master passwords.[8]

M1054 Software Configuration

Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.

M1051 Update Software

Update password managers regularly by employing patch management for internal enterprise endpoints and servers.

Detection

Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers.

Consider monitoring file reads surrounding known password manager applications.

References