Credentials from Password Store

Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

ID: T1634
Sub-techniques:  T1634.001
Tactic Type: Post-Adversary Device Access
Platforms: iOS
MTC ID: AUT-11
Version: 1.1
Created: 01 April 2022
Last Modified: 08 September 2023

Mitigations

ID Mitigation Description
M1002 Attestation

Device attestation can often detect jailbroken devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.

M1001 Security Updates

Apple regularly provides security updates for known OS vulnerabilities.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

DS0013 Sensor Health Host Status

Mobile security products can potentially detect jailbroken devices.