T1634 Credentials from Password Store

Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Item	Value
ID	T1634
Sub-techniques	T1634.001
Tactics	TA0031
Platforms	iOS
Version	1.1
Created	01 April 2022
Last Modified	20 March 2023

Mitigations

ID	Mitigation	Description
M1002	Attestation	Device attestation can often detect jailbroken devices.
M1010	Deploy Compromised Device Detection Method	Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.
M1001	Security Updates	Apple regularly provides security updates for known OS vulnerabilities.

Detection

ID	Data Source	Data Component
DS0041	Application Vetting	API Calls
DS0013	Sensor Health	Host Status