Technique on mitre.org

T1555.005: Password Managers

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory. Adversaries may extract credentials from memory via Exploitation for Credential Access. Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

hashicorp: PT-CR-2141: Hashicorp_Vault_Infrastructure_Discovery: Attackers can perform reconnaissance of the system infrastructure to determine possible further actions mitre_attck_cred_access: PT-CR-765: Credential_Access_To_Passwords_Storage: Access to files containing credentials (browsers, password managers) is detected mitre_attck_cred_access: PT-CR-2457: Passwork_Credential_Collection: A user accessed an abnormally large number of passwords in a short period of time. This may indicate that attackers gained access to user password storage. mitre_attck_cred_access: PT-CR-769: KeePass_Keys_Extraction: Extraction of a master key from KeePass is detected

Detection

ID	DS0009	Data source and component	Process: Process Access	Description	Monitor process being accessed that may acquire user credentials from third-party password managers.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may search for common password storage locations to obtain user credentials.

ID	DS0022	Data source and component	File: File Access	Description	Monitor file reads that may acquire user credentials from third-party password managers.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may acquire user credentials from third-party password managers.

ID	Data source and component	Description
DS0009	Process: Process Access	Monitor process being accessed that may acquire user credentials from third-party password managers.
DS0009	Process: OS API Execution	Monitor for API calls that may search for common password storage locations to obtain user credentials.
DS0022	File: File Access	Monitor file reads that may acquire user credentials from third-party password managers.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may acquire user credentials from third-party password managers.

Mitigation

ID	M1051	Name	Update Software	Description	Update password managers regularly by employing patch management for internal enterprise endpoints and servers.

ID	M1054	Name	Software Configuration	Description	Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.

ID	M1027	Name	Password Policies	Description	Refer to NIST guidelines when creating password policies for master passwords.

ID	Name	Description
M1051	Update Software	Update password managers regularly by employing patch management for internal enterprise endpoints and servers.
M1054	Software Configuration	Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
M1027	Password Policies	Refer to NIST guidelines when creating password policies for master passwords.