Skip to content

T1634 Credentials from Password Store

Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Item Value
ID T1634
Sub-techniques T1634.001
Tactics TA0031
Platforms iOS
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023


ID Mitigation Description
M1002 Attestation Device attestation can often detect jailbroken devices.
M1010 Deploy Compromised Device Detection Method Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.
M1001 Security Updates Apple regularly provides security updates for known OS vulnerabilities.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0013 Sensor Health Host Status