Credentials from Password Stores, Technique T1555 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries configured a native CLI to gather a targeted elevated users password using grep.[2]
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.[3]
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5]
APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[6]
APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.[7]
Astaroth uses an external software known as NetPass to recover passwords. [8]
BeaverTail has collected keys stored for Solana stored in .config/solana/id.json and other login details associated with macOS within /Library/Keychains/login.keychain or for Linux within /.local/share/keyrings.[9]
Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[10]
CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1]
DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[11]
Evilnum can collect email credentials from victims.[12]
FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[13]
HEXANE has run cmdkey on victim machines to identify stored credentials.[14]
KGH_SPY can collect credentials from WINSCP.[15]
LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[16]
Leafminer used several tools for retrieving login and password information, including LaZagne.[17]
Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[18]
Malteiro has obtained credentials from mail clients via NirSoft MailPassView.[19]
Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.[20]
Matryoshka is capable of stealing Outlook passwords.[21][22]
MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[23][24]
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[25][26][27][28][29]
MirrorStealer has the ability to steal credentials from email clients.[30][31]
Mispadu has obtained credentials from mail clients via NirSoft MailPassView.[19][32][33]
MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[34][35][36]
NETWIRE can retrieve passwords from messaging and mail client applications.[37]
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[38][39][40][41]
OLDBAIT collects credentials from several email clients.[42]
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.[1]
PLEAD has the ability to steal saved passwords from Microsoft Outlook.[43]
PoshC2 can decrypt passwords stored in the RDCMan configuration file.[44]
A module in Prikormka collects passwords stored in applications installed on the victim.[45]
Pupy can use Lazagne for harvesting credentials.[46]
QuasarRAT can obtain passwords from common FTP clients.[47][48]
RedLine Stealer has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients.[49][50][51]
During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.[52]
Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.[53]
Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.[54]
XLoader can collect credentials stored in email clients.[55][56]