MITRE ATT&CK Technique
Description
Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-01-22T16:08:40.629Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may acquire user credentials from third-party '
'password managers.(Citation: ise Password Manager February '
'2019) Password managers are applications designed to store '
'user credentials, normally in an encrypted database. '
'Credentials are typically accessible after a user provides a '
'master password that unlocks the database. After the database '
'is unlocked, these credentials may be copied to memory. These '
'databases can be stored as files on disk.(Citation: ise '
'Password Manager February 2019)\n'
'\n'
'Adversaries may acquire user credentials from password '
'managers by extracting the master password and/or plain-text '
'credentials from memory.(Citation: FoxIT Wocao December '
'2019)(Citation: Github KeeThief) Adversaries may extract '
'credentials from memory via [Exploitation for Credential '
'Access](https://attack.mitre.org/techniques/T1212).(Citation: '
'NVD CVE-2019-3610)\n'
' Adversaries may also try brute forcing via [Password '
'Guessing](https://attack.mitre.org/techniques/T1110/001) to '
'obtain the master password of a password manager.(Citation: '
'Cyberreason Anchor December 2019)',
'external_references': [{'external_id': 'T1555.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1555/005'},
{'description': 'Dahan, A. et al. (2019, December '
'11). DROPPING ANCHOR: FROM A '
'TRICKBOT INFECTION TO THE DISCOVERY '
'OF THE ANCHOR MALWARE. Retrieved '
'September 10, 2020.',
'source_name': 'Cyberreason Anchor December 2019',
'url': 'https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware'},
{'description': 'Dantzig, M. v., Schamper, E. (2019, '
'December 19). Operation Wocao: '
'Shining a light on one of China’s '
'hidden hacking groups. Retrieved '
'October 8, 2020.',
'source_name': 'FoxIT Wocao December 2019',
'url': 'https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf'},
{'description': 'ise. (2019, February 19). Password '
'Managers: Under the Hood of Secrets '
'Management. Retrieved January 22, '
'2021.',
'source_name': 'ise Password Manager February 2019',
'url': 'https://www.ise.io/casestudies/password-manager-hacking/'},
{'description': 'Lee, C., Schoreder, W. (n.d.). '
'KeeThief. Retrieved February 8, '
'2021.',
'source_name': 'Github KeeThief',
'url': 'https://github.com/GhostPack/KeeThief'},
{'description': 'National Vulnerability Database. '
'(2019, October 9). CVE-2019-3610 '
'Detail. Retrieved April 14, 2021.',
'source_name': 'NVD CVE-2019-3610',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2019-3610'}],
'id': 'attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:36.347Z',
'name': 'Password Managers',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Matt Burrough, @mattburrough, Microsoft',
'Don Le, Stifel Financial'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.1'}