T1555: Credentials from Password Stores
| View on MITRE ATT&CK | T1555 |
|---|---|
| Tactic(s) | Credential Access |
| Associated CAPEC Patterns | Collect Data from Common Resource Locations (CAPEC-150) |
Data from MITRE ATT&CK®:
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Detailed Analysis of DarkGate
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...
StopRansomware: ALPHV Blackcat
This '#StopRansomware' advisory from CISA and partners outlines technical details and mitigations for the ALPHV Blackcat 'Ransomware as a ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Cloud Service Enumeration (Cloud Service)
An extracted list of cloud services (ex: AWS ECS ListServices)OS API Execution (Process)
Operating system function/method calls executed by a processProcess Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Process Access (Process)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
WinPwn - Loot local Credentials - Wifi Credentials
Extract Windows Credential Manager via VBA
WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
WinPwn - Loot local Credentials - lazagne
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
Sigma Detections for this Technique
HackTool - WinPwn Execution - ScriptBlock
Enumerate Credentials from Windows Credential Manager With PowerShell
HackTool - WinPwn Execution
Dump Credentials from Windows Credential Manager With PowerShell
Suspicious Serv-U Process Pattern
HackTool - SecurityXploded Execution
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.