T1555.005 Password Managers
Adversaries may acquire user credentials from third-party password managers.1 Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.1
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.23 Adversaries may extract credentials from memory via Exploitation for Credential Access.4 Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.5
| Item | Value |
|---|---|
| ID | T1555.005 |
| Sub-techniques | T1555.001, T1555.002, T1555.003, T1555.004, T1555.005 |
| Tactics | TA0006 |
| Platforms | Linux, Windows, macOS |
| Permissions required | User |
| Version | 1.0 |
| Created | 22 January 2021 |
| Last Modified | 25 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0117 | Fox Kitten | Fox Kitten has used scripts to access credential information from the KeePass database.10 |
| S0652 | MarkiRAT | MarkiRAT can gather information from the Keepass password manager.7 |
| C0014 | Operation Wocao | During Operation Wocao, threat actors accessed and collected credentials from password managers.2 |
| S0279 | Proton | Proton gathers credentials in files for 1password.8 |
| G0027 | Threat Group-3390 | Threat Group-3390 obtained a KeePass database from a compromised host.9 |
| S0266 | TrickBot | TrickBot can steal passwords from the KeePass open source password manager.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies | Refer to NIST guidelines when creating password policies for master passwords.6 |
| M1054 | Software Configuration | Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases. |
| M1051 | Update Software | Update password managers regularly by employing patch management for internal enterprise endpoints and servers. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0009 | Process | OS API Execution |
References
-
ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. ↩↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩↩
-
Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021. ↩
-
National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021. ↩
-
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. ↩↩
-
Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019. ↩
-
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩