Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Credentials from Password Stores

Credentials from Password Stores

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

ID: T1555
Sub-techniques:  T1555.001, T1555.002, T1555.003
Tactic: Credential Access
Platforms: Linux, Windows, macOS
Permissions Required: Administrator
Data Sources: API monitoring, File monitoring, PowerShell logs, Process monitoring, System calls
Version: 1.0
Created: 11 February 2020
Last Modified: 25 March 2020

Procedure Examples

Name Description
Agent Tesla

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[21]
APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[24][25]
APT39

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[33]
Astaroth

Astaroth uses an external software known as NetPass to recover passwords. [16]
CosmicDuke

CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[11]
LaZagne

LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[3]
Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[26]
Lokibot

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[20]
Matroyshka

Matroyshka is capable of stealing Outlook passwords.[14][15]
Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[4][5][6][7]

MuddyWater

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[27][28]
OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[29][30][31][32]
OLDBAIT

OLDBAIT collects credentials from several email clients.[17]
PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.[11]
PLEAD

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[19]
PowerSploit

PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[8][9]
Prikormka

A module in Prikormka collects passwords stored in applications installed on the victim.[13]
Proton

Proton gathers credentials in files for 1password and keychains.[12]
Pupy

Pupy can use Lazagne for harvesting credentials.[10]
QuasarRAT

QuasarRAT can obtain passwords from common FTP clients.[1][2]
ROKRAT

ROKRAT steals credentials by leveraging the Windows Vault mechanism.[18]
Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.[22]
Turla

Turla has gathered credentials from the Windows Credential Manager tool.[23]

Mitigations

Mitigation Description
Password Policies

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.

Detection

Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.

References

  1. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  2. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  3. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  4. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  5. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  6. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  7. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  8. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  9. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  11. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  12. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  13. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  14. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  15. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  16. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  17. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  1. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  2. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  3. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  4. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  5. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  6. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  7. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  8. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  9. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  10. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  11. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  12. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  13. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  14. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  15. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  16. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.