Skip to content

T1555 Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials.1 Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Item Value
ID T1555
Sub-techniques T1555.001, T1555.002, T1555.003, T1555.004, T1555.005, T1555.006
Tactics TA0006
Platforms IaaS, Linux, Windows, macOS
Version 1.2
Created 11 February 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.30
G0064 APT33 APT33 has used a variety of publicly available tools like LaZagne to gather credentials.4344
G0087 APT39 APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.40
G0096 APT41 APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.42
S0373 Astaroth Astaroth uses an external software known as NetPass to recover passwords. 29
S1246 BeaverTail BeaverTail has collected keys stored for Solana stored in .config/solana/id.json and other login details associated with macOS within /Library/Keychains/login.keychain or for Linux within /.local/share/keyrings.23
S0484 Carberp Carberp’s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.12
S0050 CosmicDuke CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.1
S1111 DarkGate DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.24
G0120 Evilnum Evilnum can collect email credentials from victims.41
G0037 FIN6 FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.52
G1001 HEXANE HEXANE has run cmdkey on victim machines to identify stored credentials.36
S0526 KGH_SPY KGH_SPY can collect credentials from WINSCP.35
S0349 LaZagne LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.9
G0077 Leafminer Leafminer used several tools for retrieving login and password information, including LaZagne.38
S0447 Lokibot Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.15
G1026 Malteiro Malteiro has obtained credentials from mail clients via NirSoft MailPassView.34
S1156 Manjusaka Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.18
S0167 Matryoshka Matryoshka is capable of stealing Outlook passwords.1920
S1146 MgBot MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.1617
S0002 Mimikatz Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.23456
S1122 Mispadu Mispadu has obtained credentials from mail clients via NirSoft MailPassView.343332
G0069 MuddyWater MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.454647
S0198 NETWIRE NETWIRE can retrieve passwords from messaging and mail client applications.25
G0049 OilRig OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.51495048
S0138 OLDBAIT OLDBAIT collects credentials from several email clients.31
S0048 PinchDuke PinchDuke steals credentials from compromised hosts. PinchDuke’s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.1
S0435 PLEAD PLEAD has the ability to steal saved passwords from Microsoft Outlook.22
S0378 PoshC2 PoshC2 can decrypt passwords stored in the RDCMan configuration file.11
S0113 Prikormka A module in Prikormka collects passwords stored in applications installed on the victim.21
S0192 Pupy Pupy can use Lazagne for harvesting credentials.10
S0262 QuasarRAT QuasarRAT can obtain passwords from common FTP clients.78
S1240 RedLine Stealer RedLine Stealer has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients.262728
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.53
G0038 Stealth Falcon Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.39
G1017 Volt Typhoon Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.37
S1207 XLoader XLoader can collect credentials stored in email clients.1413

Mitigations

ID Mitigation Description
M1027 Password Policies The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password.
M1026 Privileged Account Management Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.
M1051 Update Software Perform regular software updates to mitigate exploitation risk.

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  2. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015. 

  3. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017. 

  4. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017. 

  5. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  6. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  7. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  8. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  9. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. 

  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  11. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  12. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  13. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025. 

  14. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  15. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. 

  16. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  17. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. 

  18. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. 

  19. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  20. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024. 

  21. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  22. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020. 

  23. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  24. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  25. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  26. George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025. 

  27. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. 

  28. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  29. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  30. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. 

  31. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  32. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  33. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024. 

  34. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  35. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  36. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  37. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  38. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  39. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  40. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  41. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  42. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. 

  43. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  44. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  45. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. 

  46. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  47. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  48. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  49. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  50. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024. 

  51. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. 

  52. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  53. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.