MITRE ATT&CK / T1555.005
T1555.005
Password Managers
Description
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
Platforms
Mitigations
- M1051 — Update Software
- M1018 — User Account Management
- M1017 — User Training
- M1054 — Software Configuration
- M1027 — Password Policies
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- VoidStealer Bypasses Chrome App-Bound Encryption Without Code Injection or Privilege Escalation
- UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
- Quasar Linux (QLNX): Rootkit and PAM Backdoor Targeting Developer Credentials
- Bluekit Phishing Kit Bundles AI Assistant and 40 Templates for Scalable Campaigns
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →