T1555 · credential-access · 13 actors · 3 correlated reports

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.

Observed actors

Volt Typhoon
G1017 APT41
G0096 Evilnum
G0120 MuddyWater
G0069 FIN6
G0037 Leafminer
G0077 APT39
G0087 OilRig
G0049 Stealth Falcon
G0038 APT29
G0016 Malteiro
G1026 HEXANE
G1001 APT33
G0064

Correlated CTI and IR reports

1. Executive Summary
Israel Threat Actors CTI · explicit report mention ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research