Esc
Credentials from Password Stores - T1555
(ATT&CK® Technique)
Definition
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1555["Credentials from Password Stores"] --> |may-invoke| ReadFile["Read File"]; class T1555 OffensiveTechniqueNode;
class ReadFile ArtifactNode; click ReadFile href "/dao/artifact/d3f:ReadFile";
click T1555 href "/offensive-technique/attack/T1555/"; click ReadFile href "/dao/artifact/d3f:ReadFile"; T1555["Credentials from Password Stores"] --> |accesses| DatabaseFile["Database File"]; class T1555 OffensiveTechniqueNode;
class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
click T1555 href "/offensive-technique/attack/T1555/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; T1555["Credentials from Password Stores"] --> |may-access| DatabaseFile["Database File"]; class T1555 OffensiveTechniqueNode;
class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
click T1555 href "/offensive-technique/attack/T1555/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; T1555["Credentials from Password Stores"] --> |accesses| PasswordStore["Password Store"]; class T1555 OffensiveTechniqueNode;
class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
click T1555 href "/offensive-technique/attack/T1555/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore"; T1555["Credentials from Password Stores"] --> |accesses| In-memoryPasswordStore["In-memory Password Store"]; class T1555 OffensiveTechniqueNode;
class In-memoryPasswordStore ArtifactNode; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";
click T1555 href "/offensive-technique/attack/T1555/"; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore"; T1555["Credentials from Password Stores"] --> |accesses| MacOSKeychain["MacOS Keychain"]; class T1555 OffensiveTechniqueNode;
class MacOSKeychain ArtifactNode; click MacOSKeychain href "/dao/artifact/d3f:MacOSKeychain";
click T1555 href "/offensive-technique/attack/T1555/"; click MacOSKeychain href "/dao/artifact/d3f:MacOSKeychain"; T1555["Credentials from Password Stores"] --> |may-access| In-memoryPasswordStore["In-memory Password Store"]; class T1555 OffensiveTechniqueNode;
class In-memoryPasswordStore ArtifactNode; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";
click T1555 href "/offensive-technique/attack/T1555/"; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | DatabaseFile["Database File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1555["Credentials from Password Stores"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | DatabaseFile["Database File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1555["Credentials from Password Stores"] ;
class DecoyFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | DatabaseFile["Database File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1555["Credentials from Password Stores"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| filters | ReadFile["Read File"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1555["Credentials from Password Stores"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class ReadFile ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | ReadFile["Read File"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1555["Credentials from Password Stores"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class ReadFile ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEviction["File Eviction"] -->
| deletes | DatabaseFile["Database File"];
FileEviction["File Eviction"] -.->
| may-evict | T1555["Credentials from Password Stores"] ;
class FileEviction DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | DatabaseFile["Database File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1555["Credentials from Password Stores"] ;
class FileEncryption DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
| restores | DatabaseFile["Database File"];
RestoreFile["Restore File"] -.->
| may-restore | T1555["Credentials from Password Stores"] ;
class RestoreFile DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | MacOSKeychain["MacOS Keychain"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1555["Credentials from Password Stores"] ;
class RestoreDatabase DefensiveTechniqueNode;
class MacOSKeychain ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | PasswordStore["Password Store"];
class RestoreDatabase DefensiveTechniqueNode;
class PasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreDatabase["Restore Database"] -->
| restores | In-memoryPasswordStore["In-memory Password Store"];
class RestoreDatabase DefensiveTechniqueNode;
class In-memoryPasswordStore ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | DatabaseFile["Database File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1555["Credentials from Password Stores"] ;
class FileAnalysis DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | DatabaseFile["Database File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1555["Credentials from Password Stores"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class DatabaseFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";