Skip to content

T1555.005 Password Managers

Adversaries may acquire user credentials from third-party password managers.1 Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.1

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.23 Adversaries may extract credentials from memory via Exploitation for Credential Access.4 Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.5

Item Value
ID T1555.005
Sub-techniques T1555.001, T1555.002, T1555.003, T1555.004, T1555.005
Tactics TA0006
Platforms Linux, Windows, macOS
Permissions required User
Version 1.0
Created 22 January 2021
Last Modified 25 March 2022

Procedure Examples

ID Name Description
G0117 Fox Kitten Fox Kitten has used scripts to access credential information from the KeePass database.10
S0652 MarkiRAT MarkiRAT can gather information from the Keepass password manager.7
C0014 Operation Wocao During Operation Wocao, threat actors accessed and collected credentials from password managers.2
S0279 Proton Proton gathers credentials in files for 1password.8
G0027 Threat Group-3390 Threat Group-3390 obtained a KeePass database from a compromised host.9
S0266 TrickBot TrickBot can steal passwords from the KeePass open source password manager.5


ID Mitigation Description
M1027 Password Policies Refer to NIST guidelines when creating password policies for master passwords.6
M1054 Software Configuration Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
M1051 Update Software Update password managers regularly by employing patch management for internal enterprise endpoints and servers.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process OS API Execution