T1555.005: T1555.005

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 22/01/2021 17:08 · Modified 08/04/2026 13:01

Essential information

MITRE technique ID: T1555.005
Confidence: 100/100
Revoked: No
Published: 22/01/2021 17:08
Modified: 08/04/2026 13:01
Author / Source: The MITRE Corporation

Aliases

Password Managers

Platforms

windows macos linux

Description

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Cyberreason Anchor December 2019
ise Password Manager February 2019
NVD CVE-2019-3610
mitre-attack (T1555.005)
FoxIT Wocao December 2019
Github KeeThief

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (12)

LAPSUS$ uses DEV-0537Strawberry Tempest

The MITRE Corporation Confidence 100

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0501 uses

The MITRE Corporation Confidence 100

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SnakeKeylogger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-3390 uses Earth SmilodonTG-3390

The MITRE Corporation Confidence 100

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NyashTeam and Kapchenka uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Scattered Spider uses Roasted 0ktapusOcto Tempest

The MITRE Corporation Confidence 100

[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (19)

ACR Stealer uses

Family
TSPY_TRICKLOAD uses

Family
Latrodectus uses

Family
transformers.pyz uses

Family
Salat Stealer uses

Family
OnyxC2 uses

Family
InvisibleFerret uses

Family

← Previous

Page / 2

13–19 of 19

Inside OnyxC2: The New Stealer Targeting 210 Apps related

15 MITREs 1 Malware 4 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Laravel Lang Compromised with RCE Backdoor Across 700+ … related

19 MITREs 2 Malwares 2 Observables
Latest PyPi Compromise related

AlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT
North Korea's Contagious Interview Campaign Spreads Across 5 … related

AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT
SnakeKeylogger: Multistage Info Stealer Malware Analysis & Prevention related

16 MITREs 1 Malware 2 Observables 1 APT
APT Lazarus: Eager Crypto Beavers, Video calls and … related

20 MITREs 2 Malwares 85 Observables 1 APT
Exploring AsyncRAT and Infostealer Plugin Delivery Through… related

2 CVEs 11 MITREs 1 Malware 8 Observables
Double Trouble: Latrodectus And ACR Stealer Observed Spreading … related

6 CVEs 10 MITREs 2 Malwares 15 Observables

Vulnerabilities (CVE) (8)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-28986 targets

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2024-7593 KEV targets

9.8 Critical

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass …

Attack vector: Network
Complexity: LOW
Published: 13/08/2024
Modified: 06/06/2026

CWE-287 Received

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

Attack patterns (MITRE) (1)

T1555 subtechnique-of

Credentials from Password Stores MITRE

Course Of Action (5)

Software Configuration mitigates
Password Policies mitigates
User Training mitigates
User Account Management mitigates
Update Software mitigates

Campaign (1)

Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use