T1555.005 - Password Managers

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers.

Consider monitoring file reads surrounding known password manager applications.