Description
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
Platforms
Mitigations (5)
Update SoftwareM1051
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
User Account ManagementM1018
Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.
User TrainingM1017
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.
Software ConfigurationM1054
Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
Password PoliciesM1027
Refer to NIST guidelines when creating password policies for master passwords.(Citation: NIST 800-63-3)
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) obtained a KeePass database from a compromised host.(Citation: Trend Micro DRBControl Febru... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has accessed and exported passwords from password managers.(Citation: Mandiant_UNC2165) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-2... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has targeted KeyPass password database files for credential access.(Citation: Google Cloud Threat In... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.p... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has searched for credentials in password vaults and Privileged Access Management (PAM) solut... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has accessed local password managers and databases to obtain further credentials from a compromised n... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0652 | MarkiRAT | Malware | [MarkiRAT](https://attack.mitre.org/software/S0652) can gather information from the Keepass password manager.(Citation: Kaspersky Ferocious Kitten Jun... |
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) gathers credentials in files for 1password.(Citation: objsee mac malware 2017) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor De... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized the command `ssh_zcp` to exfiltrate data from browser extensions and password ... |
References
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
- Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.
- National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.
Frequently Asked Questions
What is T1555.005 (Password Managers)?
T1555.005 is a MITRE ATT&CK technique named 'Password Managers'. It belongs to the Credential Access tactic(s). Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normal...
How can T1555.005 be detected?
Detection of T1555.005 (Password Managers) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555.005?
There are 5 documented mitigations for T1555.005. Key mitigations include: Update Software, User Account Management, User Training, Software Configuration, Password Policies.
Which threat groups use T1555.005?
Known threat groups using T1555.005 include: Threat Group-3390, Indrik Spider, Fox Kitten, UNC3886, Storm-0501, Scattered Spider, LAPSUS$.