Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides protection from Credentials from Password Stores: Password Managers through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include secure password storage policies, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement protects against Password Managers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1555.005 | Password Managers | |
| IA-05 | Authenticator Management | mitigates | T1555.005 | Password Managers | |
| SI-02 | Flaw Remediation | mitigates | T1555.005 | Password Managers | |
| CM-02 | Baseline Configuration | mitigates | T1555.005 | Password Managers | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1555.005 | Password Managers | |
| SI-04 | System Monitoring | mitigates | T1555.005 | Password Managers | |
| AC-03 | Access Enforcement | mitigates | T1555.005 | Password Managers | |
| AC-02 | Account Management | mitigates | T1555.005 | Password Managers |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1555.005 | Password Managers | |
| attribute.confidentiality.data_disclosure | None | related-to | T1555.005 | Password Managers |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|