Description
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Platforms
Sub-Techniques (6)
Keychain
T1555.002Securityd Memory
T1555.003Credentials from Web Browsers
T1555.004Windows Credential Manager
T1555.005Password Managers
T1555.006Cloud Secrets Management Stores
Mitigations (3)
Privileged Account ManagementM1026
Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.
Update SoftwareM1051
Perform regular software updates to mitigate exploitation risk.
Password PoliciesM1027
The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.
Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, pol
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has run `cmdkey` on victim machines to identify stored credentials.(Citation: Kaspersky Lyceum October... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.(Citation: Joint Cybersecur... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne.(Citation: Syma... |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers passwords from multiple sources, including Windows Credential Vault and Outloo... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used the Smartftp Password Decryptor tool to decrypt FTP passwords.(Citation: BitDefender Chafer Ma... |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) can collect email credentials from victims.(Citation: ESET EvilNum July 2020) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has obtained information about accounts, lists of employees, and plaintext and hashed passwords from da... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has performed credential dumping with [LaZagne](https://attack.mitre.org/software/S0349) and other... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [LaZagne](https://attack.mitre.org/software/S0349) to steal ... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.(... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) has obtained credentials from mail clients via NirSoft MailPassView.(Citation: SCILabs Malteiro 2021... |
Associated Software (25)
| ID | Name | Type | Context |
|---|---|---|---|
| S9022 | MirrorStealer | Malware | [MirrorStealer](https://attack.mitre.org/software/S9022) has the ability to steal credentials from email clients.(Citation: ESET MirrorFace DEC 2022)(... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484)'s passw.plug plugin can gather account information from multiple instant messaging, email, and soci... |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002) performs credential dumping to obtain account and password information useful in gaining access to... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can collect credentials stored in email clients.(Citation: Google XLoader 2017)(Citation: Netskope ... |
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) has stolen credentials from multiple applications and data sources including Windows OS credentials... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for stealing stored credentials from Outlook and Foxmail email client software.(Cita... |
| S1156 | Manjusaka | Malware | [Manjusaka](https://attack.mitre.org/software/S1156) extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility use... |
| S0167 | Matryoshka | Malware | [Matryoshka](https://attack.mitre.org/software/S0167) is capable of stealing Outlook passwords.(Citation: ClearSky Wilted Tulip July 2017)(Citation: C... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) collects user credentials, including passwords, for various programs including popular instant m... |
| S0113 | Prikormka | Malware | A module in [Prikormka](https://attack.mitre.org/software/S0113) collects passwords stored in applications installed on the victim.(Citation: ESET Ope... |
| S0435 | PLEAD | Malware | [PLEAD](https://attack.mitre.org/software/S0435) has the ability to steal saved passwords from Microsoft Outlook.(Citation: ESET PLEAD Malware July 20... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has collected keys stored for Solana stored in `.config/solana/id.json` and other login details ... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some mal... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can retrieve passwords from messaging and mail client applications.(Citation: Red Canary NETWIRE Ja... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from common FTP clients.(Citation: GitHub QuasarRAT)(Citation: Volexity Patc... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat cli... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Fe... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to steal credentials from FTP clients and wireless profiles.(Citation: Malwareb... |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from databases, mail, and WiFi across multiple platforms.(Citation: GitHub L... |
| S0138 | OLDBAIT | Malware | [OLDBAIT](https://attack.mitre.org/software/S0138) collects credentials from several email clients.(Citation: FireEye APT28) |
References
Frequently Asked Questions
What is T1555 (Credentials from Password Stores)?
T1555 is a MITRE ATT&CK technique named 'Credentials from Password Stores'. It belongs to the Credential Access tactic(s). Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating sy...
How can T1555 be detected?
Detection of T1555 (Credentials from Password Stores) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555?
There are 3 documented mitigations for T1555. Key mitigations include: Privileged Account Management, Update Software, Password Policies.
Which threat groups use T1555?
Known threat groups using T1555 include: HEXANE, Volt Typhoon, Leafminer, Stealth Falcon, APT39, Evilnum, APT41, APT33.