Credentials from Password Managers

Information

• Name: Password Managers

• ID: T1555.005

• Tactics: TA0006

• Technique: T1555

Introduction

The MITRE ATT&CK sub-technique T1555.005, "Credentials from Password Managers," refers to adversaries targeting and extracting stored credentials from password management applications and tools. Password managers are commonly used by organizations and individuals to securely store and manage credentials. Attackers specifically target these applications due to their high-value data and centralized storage of sensitive information, allowing adversaries to rapidly escalate privileges, move laterally, and gain unauthorized access across networks and systems.

Deep Dive Into Technique

Adversaries employing this sub-technique typically aim at extracting usernames, passwords, and other sensitive information stored within password managers. These attacks leverage various methods and mechanisms, including:

• Memory Dumping: Attackers may access the memory of password manager processes to extract plaintext passwords while the application is running.

• Credential Database Extraction: Password managers often store encrypted credential databases locally. Attackers may copy and exfiltrate these databases, attempting offline brute-force or dictionary attacks against the master password.

• Keylogging and Clipboard Monitoring: Attackers may deploy keyloggers or clipboard monitoring malware to intercept credentials as they are entered or copied.

• Browser Extension Exploitation: Many password managers integrate with browsers through extensions. Attackers may exploit vulnerabilities in these extensions or browsers themselves to capture credentials.

• Abusing APIs and Command-Line Interfaces (CLI): Some password managers offer APIs and command-line tools for automation and integration. Attackers may abuse these interfaces to extract credentials programmatically.

• Phishing and Social Engineering: Attackers may employ phishing campaigns to trick users into revealing their master passwords or sensitive credentials.

Real-world procedures typically involve malware that specifically scans for and targets popular password manager software such as LastPass, KeePass, Dashlane, 1Password, and browser-based credentials storage (e.g., Chrome, Firefox built-in password managers).

When this Technique is Usually Used

Attackers deploy this sub-technique during multiple stages of the cyber kill chain, including:

• Initial Access and Credential Harvesting: Early in the attack lifecycle, adversaries may target password managers to gain initial footholds into networks.

• Privilege Escalation: Attackers leverage stolen credentials from password managers to escalate privileges by accessing sensitive accounts or administrative credentials.

• Lateral Movement: Credentials extracted from password managers allow attackers to move laterally through networks, compromising additional systems and services.

• Persistence and Long-Term Access: Attackers may use extracted credentials to maintain persistent access, bypassing traditional authentication controls.

• Data Exfiltration and Impact: Credentials from password managers can facilitate access to sensitive data, enabling attackers to exfiltrate critical information or disrupt operations.

Attack scenarios commonly include targeted ransomware operations, advanced persistent threats (APTs), insider threats, and financially motivated cybercrime.

How this Technique is Usually Detected

Detection of credential theft from password managers involves multiple strategies, tools, and indicators of compromise (IoCs):

• Endpoint Detection and Response (EDR): Monitoring for suspicious processes accessing password manager files or memory.

• File Integrity Monitoring (FIM): Detecting unauthorized access, modification, or copying of password manager credential databases or configuration files.

• Behavioral Analytics and Anomaly Detection: Identifying unusual patterns of access or usage of password manager applications, such as unexpected export or bulk credential extraction.

• Network Monitoring and Intrusion Detection Systems (IDS): Detecting exfiltration attempts or command-and-control (C2) communications associated with credential theft malware.

• Audit Logs and System Event Logs: Reviewing logs for unusual access attempts, failed logins, or API calls targeting password manager services.

• Indicators of Compromise (IoCs) and Threat Intelligence Feeds: Leveraging known malware signatures, hashes, filenames, registry keys, or network artifacts associated with credential-stealing malware.

Specific IoCs may include:

• Unusual file access patterns on password manager databases (e.g., KeePass .kdbx files, LastPass local storage files).

• Suspicious processes or scripts interacting with browser extensions or password manager APIs.

• Known malware hashes or signatures related to credential-stealing attacks.

Why it is Important to Detect This Technique

Early detection of credential theft from password managers is crucial due to the severe impacts and risks posed to organizations:

• Rapid Credential Abuse: Attackers can quickly exploit stolen credentials to access sensitive data, escalate privileges, and compromise critical systems.

• Widespread Compromise: Password managers often store credentials for numerous systems and services, making them a high-value target that can lead to extensive compromise.

• Data Breaches and Regulatory Impact: Compromise of credentials can result in significant data breaches, leading to regulatory fines, reputational damage, and loss of customer trust.

• Operational Disruption: Attackers leveraging stolen credentials can disrupt business operations, deploy ransomware, or sabotage critical infrastructure.

• Long-Term Persistence and Difficulty in Remediation: Once credentials are compromised, attackers can maintain persistent access, making remediation challenging and resource-intensive.

Early detection and response can limit attacker dwell time, reduce the scope of compromise, and mitigate potential damage to the organization.

Examples

Real-world examples of credential theft from password managers include:

• RedLine Stealer Malware:

  • Attack Scenario: RedLine malware targets browsers and password managers, extracting stored credentials and cookies.

  • Tools Used: RedLine Stealer, malware distribution via phishing emails, malicious websites, or cracked software downloads.

  • Impact: Stolen credentials sold on underground forums, leading to account compromise, financial losses, and unauthorized access.

• KeeThief Tool:

  • Attack Scenario: KeeThief is a PowerShell-based tool designed to extract credentials from KeePass password manager databases.

  • Tools Used: KeeThief, PowerShell scripts, compromised endpoints.

  • Impact: Attackers obtain plaintext passwords, enabling lateral movement, privilege escalation, and persistent access within networks.

• LastPass Security Incidents (2022):

  • Attack Scenario: Attackers compromised LastPass developer systems, gaining access to encrypted password vault backups.

  • Tools Used: Social engineering, compromised developer systems, exfiltration techniques.

  • Impact: Potential exposure of customer vaults, forcing users and organizations to rotate credentials and implement additional security measures.

• Agent Tesla Malware:

  • Attack Scenario: Agent Tesla malware targets browser-based password managers and standalone credential management tools.

  • Tools Used: Agent Tesla RAT, phishing campaigns, malicious email attachments.

  • Impact: Credential harvesting leading to unauthorized access, financial fraud, and further compromise of organizations.

These examples illustrate the diverse methods attackers use to target password managers and underscore the importance of robust detection and defensive measures.