Applied Cybernetics Group
T1555 — Credentials from Password Stores
- Technique
T1555- Tactics
- Credential Access
- MISP citations
- 0
- KEV CVEs mapped
- 9
- Community rules
- 8
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1555
MITRE description
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-5777CVE-2025-48928CVE-2025-48927CVE-2025-24054CVE-2024-55591CVE-2024-21893CVE-2023-46805CVE-2023-27532CVE-2017-12637
Detection coverage
SigmaHQ community rules
- PUA - AWS TruffleHog Execution (core)
- DPAPI Backup Keys And Certificate Export Activity IOC (core)
- Dump Credentials from Windows Credential Manager With PowerShell (core)
- Enumerate Credentials from Windows Credential Manager With PowerShell (core)
- HackTool - WinPwn Execution - ScriptBlock (core)
- HackTool - SecurityXploded Execution (core)
- HackTool - WinPwn Execution (core)
- Suspicious Serv-U Process Pattern (core)