Credentials from Password Stores (T1555) is a MITRE ATT&CK technique in the Credential Access tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on an operating system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain credentials. These password managers are often targets for attackers because they consolidate access to many credentials in a single location protected by a single master password or authentication factor. Common credential storage locations include the Windows Credential Manager, macOS Keychain, Linux secret service APIs, web browser saved passwords databases (Chrome, Firefox, Edge), and third-party password manager databases. Credential theft from password stores can provide attackers with credentials for a wide variety of services, accounts, and systems simultaneously, dramatically accelerating the pace of a breach by eliminating the need to attack individual accounts separately.
“Credentials from Password Stores is documented as technique T1555 in the MITRE ATT&CK knowledge base under the Credential Access tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Credentials from Password Stores activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for access to Windows Credential Manager vaults, particularly from processes other than credential management applications, using API calls to CredEnumerate, CredRead, and CredentialRead functions from unexpected processes.
Alert on processes reading browser password database files (Login Data for Chrome, logins.json for Firefox) from locations in user profile directories, as legitimate browsers access these files through in-process APIs rather than external file reads.
Detect password manager database file access by unexpected processes, including KeePass KDBX files, LastPass local cache files, and 1Password OPVault directories being opened by processes other than the legitimate password manager application.
Monitor macOS Keychain access by non-Apple processes and newly installed applications, as macOS logs keychain access events that can reveal unauthorized credential extraction from the system keychain or application keychains.
Track execution of known credential extraction tools such as LaZagne, WebBrowserPassView, and CredentialFileView by file name, hash, and behavioral signature including their characteristic file access patterns.
These realistic alert examples show what Credentials from Password Stores looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
File access event detected: process C:\Users\temp\payload.exe opened Chrome Login Data database file at C:\Users\jsmith\AppData\Local\Google\Chrome\User Data\Default\Login Data. This SQLite database contains all passwords saved in Chrome. The accessing process is not Chrome and has no legitimate reason to read this file. Subsequent network activity shows exfiltration of the extracted credentials to an external server.
File hash match for LaZagne.exe, an open-source credential harvesting tool that extracts passwords from over 30 software applications. The tool accessed Chrome, Firefox, Windows Credential Manager, PuTTY sessions, and Filezilla configuration files in sequence, extracting stored credentials from all these sources simultaneously. LaZagne is widely used by both penetration testers and threat actors for rapid credential collection after gaining initial access.
File copy event detected: KeePass.kdbx password database copied from user Documents folder to C:\ProgramData\Temp staging directory. The copy was performed by the same process that subsequently performed network connections to an external server. While the database itself requires a master password to open, offline brute force attacks against KDBX files can recover weak master passwords, and the copy indicates targeted theft of the password manager database.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Credentials from Password Stores. Build detection skills with zero consequences — free forever.
A brute force attack systematically tries large numbers of username and password combinations, or decryption keys, until…
Read more GlossaryMulti-Factor Authentication (MFA) requires users to provide two or more independent verification factors (something you …
Read more GlossaryLateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathTier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more