analyst @ nohacky :~/mitre $
cat / mitre / t1555
analyst@nohacky:~/mitre/t1555-credentials-from-password-stores.html
reading mode 16 min read
technique_id T1555
category MITRE ATT&CK
tactics
Credential Access
published March 2026

T1555: Credentials from Password Stores

Adversaries extract stored credentials from browser password managers, operating system keychains, third-party password vaults, and cloud secrets management systems. These repositories exist to make credential management easier for users and applications. They also make credential theft easier for attackers. One successful extraction can yield hundreds of passwords in seconds — no phishing required.

T1555 targets the places where passwords live when they are not being typed. Browsers save login credentials in local databases. Operating systems maintain encrypted keychains. Enterprise teams store service account secrets in cloud vaults. Password managers hold entire digital identities behind a single master password. Each of these systems was designed to reduce the burden of credential management. Each has become a high-value target for adversaries seeking to harvest credentials at scale.

The technique is central to the infostealer economy that now dominates the threat landscape. Infostealer malware extracted an estimated 1.8 billion credentials in 2025, and stolen credential logs have become the primary currency of initial access brokers who sell network entry points to ransomware operators. Microsoft identified Lumma Stealer — a malware-as-a-service platform built around browser credential and cookie theft — on more than 394,000 Windows systems in a two-month period before coordinating an international takedown in May 2025. The operation disrupted 2,300 malicious domains, but Lumma's infrastructure rebounded within days, demonstrating how deeply embedded credential theft from password stores has become in the modern cybercrime supply chain.

How Credential Extraction Works

The attack begins after an adversary has gained some level of access to a target system — through phishing, malware delivery, or exploitation of a vulnerability. Once on the system, the attacker identifies where credentials are stored and uses tools or built-in system utilities to extract them.

The specifics depend on the type of password store being targeted. Browser credential databases are stored as local files (typically SQLite databases) that can be copied and decrypted. Operating system keychains use platform-specific encryption that can sometimes be bypassed with the right access level or exploitation technique. Password manager vaults rely on a master password or key that, if compromised, unlocks every credential inside. Cloud secrets stores require API access or compromised service account tokens.

What makes T1555 particularly effective is volume. A single browser profile can contain dozens or hundreds of saved passwords across email, banking, corporate VPN, SaaS applications, and social media accounts. Stealing one browser database can hand an attacker the keys to a victim's entire digital life. When multiplied across thousands of infected endpoints — as infostealer operations routinely achieve — the result is credential theft at industrial scale.

Sub-Techniques

MITRE breaks T1555 into six sub-techniques, each representing a different type of credential store that adversaries target:

T1555.001 — Keychain

macOS uses the Keychain system to store passwords, certificates, encryption keys, and Wi-Fi credentials. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. The built-in security command-line utility can dump keychain contents if the attacker knows the user's login password or can escalate privileges. Adversaries who have compromised a macOS endpoint can extract credentials for every service the user has connected to — corporate VPNs, email accounts, cloud platforms, and internal applications — in a single operation.

T1555.002 — Securityd Memory

On macOS, the securityd daemon manages keychain operations and holds decrypted credentials in memory while they are in use. An attacker with the ability to read process memory can extract plaintext credentials directly from securityd without needing to decrypt keychain files on disk. This technique requires elevated privileges or a memory-reading exploit, but bypasses the encryption protections that make keychain files difficult to crack offline.

T1555.003 — Credentials from Web Browsers

This is the most heavily exploited sub-technique. Chromium-based browsers (Chrome, Edge, Brave, Opera) and Firefox store saved passwords, autofill data, cookies, and session tokens in local databases. On Windows, the encryption key for these databases was historically protected by the Windows Data Protection API (DPAPI), which any process running in the user's context could access — including infostealer malware.

Google introduced Application-Bound Encryption in Chrome 127 (July 2024) to address this, binding cookie encryption to the Chrome process and requiring system-level privileges for decryption. Infostealer developers bypassed the protection within 45 days. Techniques include injecting code into Chrome processes to access decrypted data in memory, abusing Chrome's remote debugging interface to dump cookies, and exploiting COM objects to interact with Chrome's encryption service. The CyberArk C4 attack, disclosed in late 2024, demonstrated a padding oracle attack against the underlying DPAPI encryption that could decrypt cookies without any elevated privileges at all.

warning

Browser-stored credentials remain the single largest source of stolen credentials in the infostealer ecosystem. Saving passwords in browser built-in managers is fundamentally less secure than using a dedicated password manager with a strong, unique master password.

T1555.004 — Windows Credential Manager

Windows Credential Manager stores credentials for websites, network shares, remote desktop connections, and other resources accessed by the user. These credentials are encrypted with DPAPI and stored in the user's profile. Tools like Mimikatz and LaZagne can extract them programmatically. The Windows Vault, which stores web credentials separately from generic credentials, is also targeted. Adversaries use cmdkey /list to enumerate stored credentials and tools like vaultcmd to access vault entries.

T1555.005 — Password Managers

Third-party password managers (1Password, Bitwarden, KeePass, LastPass, and others) store credentials in encrypted databases protected by a master password. Adversaries target password managers by extracting the encrypted vault file and attempting to brute-force the master password offline, capturing the master password through keyloggers or memory scraping after the user unlocks the vault, or exploiting vulnerabilities in the password manager application itself. The master password is a single point of failure: if it is weak, reused, or captured, every credential in the vault is exposed.

T1555.006 — Cloud Secrets Management Stores

Cloud environments use secrets management services — AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager, HashiCorp Vault — to store API keys, database passwords, service account credentials, and encryption keys. Adversaries with compromised cloud credentials or misconfigured IAM policies can query these services to retrieve secrets that provide access to databases, internal APIs, and other cloud resources. A single misconfigured role that grants secretsmanager:GetSecretValue in AWS can expose every secret in the account.

Real-World Case Studies

The LastPass Breach — When the Password Vault Becomes the Target

The LastPass breach of 2022–2023 remains the most consequential real-world demonstration of T1555.005 in action. Attackers first compromised a developer's account in August 2022 to steal source code and technical documentation. They then used that information to target a senior DevOps engineer's personal computer, exploiting a vulnerability in third-party media software to install a keylogger. The keylogger captured the engineer's master password after they authenticated with MFA, giving the attackers access to the corporate vault and ultimately to encrypted backups of customer vault data for more than 25 million users.

The stolen vaults were encrypted, but attackers have been systematically cracking weaker master passwords ever since. Security researchers have traced more than $45 million in cryptocurrency theft to credentials stored in those vaults, including $150 million stolen from a single victim — Ripple co-founder Chris Larsen — using seed phrases that had been stored in LastPass Secure Notes. Federal prosecutors confirmed the connection in a March 2025 court filing. As of December 2024, new waves of vault-derived theft were still being documented.

Lumma Stealer — Browser Credential Theft at Industrial Scale

Lumma Stealer exemplifies how T1555.003 operates as a service. Sold as a malware-as-a-service platform with subscription tiers ranging from $250 to $20,000 per month, Lumma automates the extraction of saved passwords, session cookies, autofill data, and cryptocurrency wallet files from infected systems. Microsoft's 2025 Digital Defense Report identified Lumma as the most prevalent infostealer between October 2024 and October 2025.

Lumma's distribution channels include phishing emails impersonating brands like Booking.com, malvertising campaigns targeting software download searches, trojanized applications, and fake CAPTCHA pages that trick users into running malicious PowerShell commands (the ClickFix technique). Once on a system, Lumma extracts browser credentials within seconds and exfiltrates them to command-and-control servers. The stolen data is packaged into stealer logs and sold through Telegram channels and dark web marketplaces, where initial access brokers purchase them to identify corporate credentials worth exploiting further.

In May 2025, Microsoft led an international operation with the DOJ, Europol, and partners including Cloudflare and ESET to dismantle Lumma's infrastructure, seizing approximately 2,300 domains. The disruption was significant but temporary — new Lumma indicators of compromise surged within 48 hours of the takedown, demonstrating the resilience of the decentralized malware-as-a-service model.

The Snowflake Campaign — Stolen Credentials, Massive Data Breaches

In mid-2024, a threat actor used credentials stolen by infostealer malware to access customer accounts on the Snowflake cloud data platform. The stolen credentials — harvested from browser password stores and sold through stealer log marketplaces — allowed the attacker to log into Snowflake instances belonging to approximately 165 organizations. The victims included Ticketmaster (560 million customer records), AT&T (call and text records for nearly all customers), Santander Bank, and Advance Auto Parts. None of the compromised accounts had MFA enabled.

The Snowflake campaign demonstrated the full lifecycle of T1555: infostealer malware extracts browser-stored credentials from individual endpoints, those credentials are sold to other attackers, and the buyers use them to breach enterprise cloud environments at scale. The credentials that unlocked these breaches were not obtained through sophisticated exploitation. They were saved in browsers on machines that got infected with commodity malware.

Detection Strategies

Detecting credential extraction from password stores requires monitoring for access to known credential storage locations, unusual process behavior around browser and credential files, and suspicious use of credential-related command-line tools.

# Detect access to Chrome Login Data and Cookies databases
# Monitor for non-browser processes reading these files

index=sysmon EventCode=1
| search (CommandLine="*Login Data*" OR CommandLine="*Cookies*"
          OR CommandLine="*Local State*" OR CommandLine="*Web Data*")
  NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe"
       OR Image="*\\brave.exe" OR Image="*\\opera.exe")
| stats count by Image, CommandLine, User, ComputerName
| where count > 0
# Detect use of credential extraction tools and techniques
# Flag known tools: mimikatz, lazagne, cmdkey enumeration

index=sysmon EventCode=1
| search (CommandLine="*sekurlsa*" OR CommandLine="*lazagne*"
          OR CommandLine="*cmdkey /list*" OR CommandLine="*vaultcmd*"
          OR CommandLine="*security find-generic-password*"
          OR CommandLine="*security dump-keychain*"
          OR CommandLine="*ChromeKatz*")
| table _time, Image, CommandLine, User, ComputerName, ParentImage
# Detect Chrome remote debugging abuse
# Infostealers launch Chrome with --remote-debugging-port to dump cookies

index=sysmon EventCode=1 Image="*\\chrome.exe"
| search CommandLine="*--remote-debugging-port=*"
| where NOT match(ParentImage, "(?i)(chrome|update)")
| table _time, CommandLine, ParentImage, User, ComputerName
# Detect file access to macOS Keychain databases

index=edr_macos event_type=file_access
| search (file_path="*/Library/Keychains/*"
          OR file_path="*login.keychain*"
          OR file_path="*login.keychain-db*")
  NOT (process_name="securityd" OR process_name="SecurityAgent"
       OR process_name="Safari" OR process_name="loginwindow")
| stats count by process_name, file_path, user
| where count > 0
note

Cloud secrets store access should be monitored through cloud-native audit logs. In AWS, look for GetSecretValue calls in CloudTrail from unfamiliar principals or IP addresses. In Azure, monitor Key Vault diagnostic logs for unusual SecretGet operations. Alerting on secrets access from outside expected CIDR ranges or service accounts is a high-fidelity detection.

Known Threat Actors

T1555 is used extensively by both cybercriminal operations and state-sponsored groups. The following is a partial list of threat actors documented by MITRE and commercial threat intelligence as using credential extraction from password stores:

  • APT33 / Elfin (Iran) — Used publicly available tools like LaZagne to extract credentials from compromised systems across government and private sector targets
  • APT41 (China) — Obtained plaintext and hashed passwords from databases and password stores during dual-purpose espionage and financial theft operations
  • Volt Typhoon (China) — Extracted credentials from browsers and Windows Credential Manager as part of living-off-the-land operations targeting U.S. critical infrastructure
  • MuddyWater (Iran) — Deployed LaZagne and custom tools to harvest stored credentials from targeted Middle Eastern organizations
  • Evasive Panda / Daggerfly (China) — Used credential extraction alongside custom malware to target telecom providers and government entities
  • Scattered Spider (UNC3944) — Combined social engineering with infostealer deployment to harvest credentials for high-profile enterprise intrusions
  • FIN6 — Used credential stealers including tools targeting FTP and email utilities to support financially motivated operations

On the commodity malware side, the infostealer families most associated with T1555 include Lumma Stealer, RedLine, Vidar, StealC, Raccoon Stealer, Agent Tesla, and FormBook — all of which target browser credential stores as a primary function.

Defensive Recommendations

critical

Browser-saved passwords are the lowest-hanging fruit for infostealers. Organizational policy should prohibit storing credentials in browsers and enforce this through endpoint management. This single control eliminates the largest attack surface for T1555.

  1. Prohibit saving passwords in browsers: Use Group Policy, MDM, or endpoint management tools to disable the browser password manager across the organization. Deploy a dedicated password manager (1Password, Bitwarden, etc.) as a managed alternative with a strong, unique master password and enterprise SSO integration.
  2. Deploy phishing-resistant MFA everywhere: FIDO2 security keys and passkeys are resistant to credential replay even if stored passwords are stolen. Credential theft from password stores becomes far less damaging when every service requires a second factor that cannot be extracted from the endpoint.
  3. Accelerate passkey adoption: Passkeys eliminate stored passwords entirely. Where services support them, passkeys replace the credential that would otherwise sit in a password store waiting to be stolen. Prioritize passkey enrollment for privileged accounts and high-value services.
  4. Monitor for infostealer indicators: Tune EDR and SIEM detections for processes accessing browser credential databases, Chrome remote debugging abuse, and known credential extraction tools. Monitor for stealer log appearances through dark web monitoring services that alert when organizational credentials surface in underground marketplaces.
  5. Harden cloud secrets management: Apply least-privilege IAM policies to secrets stores. Restrict GetSecretValue, SecretGet, and equivalent API permissions to specific roles and source IP ranges. Enable audit logging and alert on anomalous access patterns. Rotate secrets on a defined schedule and immediately after any suspected compromise.
  6. Implement session token protections: Short-lived session tokens, continuous access evaluation (CAE), and token binding reduce the window of opportunity when session cookies are stolen alongside passwords. Enforce re-authentication for sensitive operations even within active sessions.
  7. Endpoint hardening against infostealers: Keep browsers, operating systems, and security software fully patched. Restrict administrative privileges to limit the effectiveness of credential extraction tools. Use application control policies to prevent unauthorized executables from running. Educate users about the social engineering tactics — fake CAPTCHAs, cracked software, malvertising — that deliver infostealer malware.
  8. Audit and rotate credentials proactively: Assume that credential stores on any compromised endpoint are fully exposed. Incident response procedures should include forced rotation of every credential stored on an infected machine — not just the credentials the attacker is known to have used.

MITRE ATT&CK Mapping

Field Value
Technique IDT1555
Technique NameCredentials from Password Stores
TacticCredential Access
PlatformsWindows, Linux, macOS, IaaS
Sub-TechniquesT1555.001 Keychain, T1555.002 Securityd Memory, T1555.003 Credentials from Web Browsers, T1555.004 Windows Credential Manager, T1555.005 Password Managers, T1555.006 Cloud Secrets Management Stores
Data SourcesCommand (Execution), File (Access), Process (Access, Creation), Cloud Service (Enumeration)
Version1.2 (Last Modified October 2025)
MITRE Referenceattack.mitre.org/techniques/T1555

Sources and References

  • MITRE ATT&CK — T1555 Credentials from Password Stores: attack.mitre.org
  • Microsoft — Disrupting Lumma Stealer (May 2025): blogs.microsoft.com
  • CyberArk Labs — C4 Bomb: Chrome AppBound Cookie Encryption Bypass: cyberark.com
  • Elastic Security Labs — Katz and Mouse Game: Infostealer Chrome Bypasses: elastic.co
  • SpyCloud — Infostealers Bypass Chrome App-Bound Encryption: spycloud.com
  • Krebs on Security — Feds Link $150M Cyberheist to LastPass Hacks: krebsonsecurity.com
— end of briefing