T1555.005SubTechniquecredential-accessagent-callable

T1555.005Password Managers

Sub-technique of T1555

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1555/005
  2. https://www.ise.io/casestudies/password-manager-hacking/
  3. https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
  4. https://github.com/GhostPack/KeeThief
  5. https://nvd.nist.gov/vuln/detail/CVE-2019-3610
  6. https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.