Skip to content

Credentials from Password Stores

What: Credentials from Password Stores

The MITRE ATT&CK framework identifies "Credentials from Password Stores" as a technique used by attackers to acquire credentials stored in various password management systems. This can include system-native stores like Windows Credential Manager, browser-based password managers (e.g., those in Chrome, Firefox), and third-party password management tools (e.g., LastPass, KeePass). The goal is to extract login information that can be used to escalate privileges, move laterally across a network, or access restricted data and systems.

How: Techniques and Execution Methods

  1. Accessing Browser Password Stores: Browsers often save user credentials to simplify the login process for websites. Tools or scripts such as Mimikatz, LaZagne, or custom PowerShell scripts can be used to extract these credentials directly from the storage location on disk or by tapping into browser APIs.

  2. Third-party Password Managers: These applications store their passwords in an encrypted format. Attackers may obtain master passwords through keylogging, phishing, or using memory dumping techniques to capture the master password as it’s entered or processed in memory.

  3. System Credential Managers: On Windows systems, for example, credentials are stored in the Windows Credential Manager. Techniques such as extracting secrets from the registry or using API calls with tools like Mimikatz can be employed to access these credentials.

  4. Memory Dumping: By dumping the memory contents of a process that interacts with these password stores (like a browser process or a password manager), attackers can potentially extract unencrypted passwords directly from memory.

Where: Application Contexts

  • Local System Storage: Credentials are often stored locally on a user's machine within specific directories or system vaults depending on the operating system and applications being used.
  • Network-based Password Managers: Some enterprises use network-accessible password management systems which store credentials centrally. These can be targeted through network intrusion techniques.
  • Cloud-based Services: With the rise of cloud computing, many credentials are also stored in cloud-based password management solutions which require different approaches such as exploiting API vulnerabilities.

Why: Motivations Behind Use

Extracting credentials from password stores is primarily motivated by the need for unauthorized access to systems and data:

  • Privilege Escalation: Obtaining higher-level privileges by using extracted credentials that have more rights than the attacker's current level.
  • Lateral Movement: Using extracted credentials to access other systems within a network environment which may not be directly accessible from the attacker’s initial point of entry.
  • Persistence: Establishing ongoing access to a victim environment by using legitimate credentials which reduce chances of detection.
  • Avoidance of Detection: Using legitimate credentials can help attackers blend in with normal user activity, thus avoiding anomaly detection mechanisms that might otherwise flag unauthorized actions.

In summary, "Credentials from Password Stores" is about exploiting various types of software designed to manage and store passwords securely by either circumventing their security measures directly or leveraging ancillary systems (like browsers) where these passwords might also be cached less securely. The technique is critical because it allows attackers not just initial access but also facilitates deeper penetration into an infrastructure under the guise of legitimate users.