T1555.005 Password Managers
Adversaries may acquire user credentials from third-party password managers.3 Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.3
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.24 Adversaries may extract credentials from memory via Exploitation for Credential Access.5 Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.1
| Item | Value |
|---|---|
| ID | T1555.005 |
| Sub-techniques | T1555.001, T1555.002, T1555.003, T1555.004, T1555.005, T1555.006 |
| Tactics | TA0006 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 22 January 2021 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0117 | Fox Kitten | Fox Kitten has used scripts to access credential information from the KeePass database.13 |
| G0119 | Indrik Spider | Indrik Spider has accessed and exported passwords from password managers.12 |
| S1245 | InvisibleFerret | InvisibleFerret has utilized the command ssh_zcp to exfiltrate data from browser extensions and password managers via Telegram and FTP.910 |
| G1004 | LAPSUS$ | LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.18 |
| S0652 | MarkiRAT | MarkiRAT can gather information from the Keepass password manager.7 |
| C0014 | Operation Wocao | During Operation Wocao, threat actors accessed and collected credentials from password managers.2 |
| S0279 | Proton | Proton gathers credentials in files for 1password.8 |
| G1015 | Scattered Spider | Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.1716 |
| G1053 | Storm-0501 | Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.15 |
| G0027 | Threat Group-3390 | Threat Group-3390 obtained a KeePass database from a compromised host.11 |
| S0266 | TrickBot | TrickBot can steal passwords from the KeePass open source password manager.1 |
| G1048 | UNC3886 | UNC3886 has targeted KeyPass password database files for credential access.14 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies | Refer to NIST guidelines when creating password policies for master passwords.6 |
| M1054 | Software Configuration | Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases. |
| M1051 | Update Software | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| M1018 | User Account Management | Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access. |
| M1017 | User Training | Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
References
-
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. ↩↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩↩
-
ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. ↩↩
-
Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021. ↩
-
National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021. ↩
-
Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019. ↩
-
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. ↩
-
Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
-
Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. ↩
-
Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. ↩
-
Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025. ↩
-
Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. ↩
-
Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022. ↩