Credentials from Password Stores: Password Managers (T1555.005)

Tactic: Credential Access · Platforms: Linux, macOS, Windows

The interactive view maps 1 detection strategy, 5 mitigations, 7 threat groups, 4 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Credentials from Password Stores (T1555).

Overview

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory. Adversaries may extract credentials from memory via Exploitation for Credential Access. Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.

Explore