1. Home
  2. ATT&CK Techniques
  3. T1555 Credentials from Password Stores

T1555 Credentials from Password Stores Mappings

Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2023-46805 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability secondary_impact T1555 Credentials from Password Stores
Comments
This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.
References
  1. https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/
  2. https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability secondary_impact T1555 Credentials from Password Stores
Comments
This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.
References
  1. https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence
CVE-2023-27532 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability secondary_impact T1555 Credentials from Password Stores
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
  1. https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/
  2. https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/
  3. https://www.group-ib.com/blog/estate-ransomware/

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1555.005 Password Managers 1
T1555.003 Credentials from Web Browsers 1
T1555.004 Windows Credential Manager 1