EXPLORE
Sign In
← Back to Explore
T1555

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement an...

IaaSLinuxmacOSWindows
38
Detections
3
Sources
12
Threat Actors

BY SOURCE

26elastic8sigma4splunk_escu

PROCEDURES (31)

Credential3 detections

Auto-extracted: 3 detections for credential

Aws2 detections

Auto-extracted: 2 detections for aws

Lateral2 detections

Auto-extracted: 2 detections for lateral

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Persist2 detections

Auto-extracted: 2 detections for persist

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Api1 detections

Auto-extracted: 1 detections for api

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Token1 detections

Auto-extracted: 1 detections for token

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Token1 detections

Auto-extracted: 1 detections for token

Dump1 detections

Auto-extracted: 1 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Dump1 detections

Auto-extracted: 1 detections for dump

Api1 detections

Auto-extracted: 1 detections for api

Azure1 detections

Auto-extracted: 1 detections for azure

Cloud1 detections

Auto-extracted: 1 detections for cloud

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (12)

APT33APT39APT41EvilnumFIN6HEXANELeafminerMalteiroMuddyWaterOilRigStealth FalconVolt Typhoon

DETECTIONS (38)

AWS Secrets Manager Rapid Secrets Retrieval
elasticmedium
AWS Systems Manager SecureString Parameter Request with Decryption Flag
elasticmedium
Azure Key Vault Excessive Secret or Key Retrieved
elasticmedium
Azure Key Vault Unusual Secret Key Usage
elasticmedium
Azure Storage Account Keys Accessed by Privileged User
elasticmedium
Browser Process Spawned from an Unusual Parent
elastichigh
Creation or Modification of Domain Backup DPAPI private key
elastichigh
Credential Access via TruffleHog Execution
elasticmedium
CyberArk Privileged Access Security Recommended Monitor
elastichigh
DPAPI Backup Keys And Certificate Export Activity IOC
sigmahigh
Dump Credentials from Windows Credential Manager With PowerShell
sigmamedium
Dumping of Keychain Content via Security Command
elastichigh
Enumerate Credentials from Windows Credential Manager With PowerShell
sigmamedium
First Time Python Accessed Sensitive Credential Files
elasticmedium
First Time Seen AWS Secret Value Accessed in Secrets Manager
elasticmedium
GenAI Process Accessing Sensitive Files
elastichigh
HackTool - SecurityXploded Execution
sigmacritical
HackTool - WinPwn Execution
sigmahigh
HackTool - WinPwn Execution - ScriptBlock
sigmahigh
Keychain CommandLine Interaction via Unsigned or Untrusted Process
elastichigh
Keychain Password Retrieval via Command Line
elastichigh
MCP Postgres Suspicious Query
splunk_escu
Multiple Cloud Secrets Accessed by Source Address
elastichigh
Multiple Vault Web Credentials Read
elasticmedium
Potential Credential Access via Trusted Developer Utility
elastichigh
Potential Secret Scanning via Gitleaks
elasticmedium
Potential Veeam Credential Access Command
elasticmedium
PowerShell Script with Veeam Credential Access Capabilities
elasticmedium
PUA - AWS TruffleHog Execution
sigmamedium
Searching for Saved Credentials via VaultCmd
elasticmedium
Suspicious Serv-U Process Pattern
sigmahigh
Suspicious Web Browser Sensitive File Access
elastichigh
SystemKey Access via Command Line
elastichigh
Veeam Backup Library Loaded by Unusual Process
elasticmedium
Windows Credentials from Password Stores Creation
splunk_escu
Windows Credentials from Password Stores Deletion
splunk_escu
Windows Credentials from Password Stores Query
splunk_escu
Wireless Credential Dumping using Netsh Command
elastichigh