MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Credential Access/ T1555

T1555Credentials from Password Stores

T1555 — Credentials from Password Stores is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 28 detection use cases covering it and 18 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

28Use cases

18Articles

6Sub-techniques

1Tactic

Sub-techniques (6)

T1555.006 · Cloud Secrets Management Stores T1555.003 · Credentials from Web Browsers T1555.001 · Keychain T1555.005 · Password Managers T1555.002 · Securityd Memory T1555.004 · Windows Credential Manager

Use cases covering this technique (28)

1Password item exfiltration attempt Internal actions · alerting DD 1Password vault export attempted Internal actions · alerting DD AWS Secrets Manager retrieval by unfamiliar principal Internal actions · alerting DD GitHub personal access token cloning many repositories Internal actions · alerting DD GitHub secrets-API enumeration Internal actions · alerting DD Kubernetes Secret accessed Internal actions · alerting DD [WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD MCP Postgres Suspicious Query ESCU actions · hunting P Windows Credentials from Password Stores Creation ESCU actions · alerting P Windows Credentials from Password Stores Deletion ESCU actions · alerting P Windows Credentials from Password Stores Query ESCU actions · hunting P [LLM] Velvet Ant Trojanized OpenSSH Binary Replacement (ssh/sshd/scp) Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch infostealer — bulk reads of SSH/npmrc/Vault/browser-cookie files by non-shell process Bespoke actions · hunting DSPDDCS [LLM] TruffleHog binary spawned by npm/node — Shai-Hulud secret harvest Bespoke actions · alerting DSΣPDDCS [LLM] AI coding agent descendant reading developer credentials / env (Agentjacking credential access) Bespoke actions · hunting DSΣPDDCS [LLM] Bun runtime reading developer credential files (.npmrc / .pypirc / .ssh / .env / cloud configs) Bespoke actions · alerting DSPDDCS [LLM] Megalodon harvester: clustered read of ~/.ssh/id_*, ~/.kube/config, ~/.npmrc, ~/.docker/config.json in one session Bespoke actions · hunting DSPDDCS [LLM] Developer credential store read by Python or Node spawned from VS Code (Nx Console stealer pattern) Bespoke actions · hunting DSPDDCS [LLM] Burst credential-file harvest by VS Code / node process (Nx Console stealer behaviour) Bespoke actions · hunting DSPDDCS [LLM] Node.js process bulk-reading cloud & SCM credential files in single session Bespoke actions · hunting DSPDDCS [LLM] Node/npm/Bun process enumerating cloud, wallet, AI, and messaging credential file paths Bespoke actions · hunting DSPDDCS [LLM] Mini Shai-Hulud: Bun runtime executing `router_runtime.js` (2nd-stage stealer) Bespoke actions · alerting DSΣPDD [LLM] Access to OpenClaw credential store (~/.openclaw/credentials/, ~/.openclaw/config.json5) Bespoke actions · alerting DSΣPDDCS [LLM] GlassWorm Stage-3a Ledger impersonator binary execution (SHA256 06fab21d / SKuyzYcDD.exe) Bespoke actions · alerting DSΣPDDCS [LLM] TruffleHog secret-scanner execution on developer / CI host (SHA1-Hulud credential harvest) Bespoke actions · alerting DSΣPDDCS [LLM] SnakeStealer Wi-Fi Credential Harvest via netsh wlan show profile key=clear Bespoke actions · alerting DSΣPDDCS [LLM] Scavenger loader/stealer SHA256 execution or drop on endpoint Bespoke install · alerting DSΣPDD [LLM] macOS Text Replacements exfiltration via `defaults read NSUserDictionaryReplacementItems` Bespoke actions · alerting DSΣPCS

Articles citing this technique (18)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27

high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215

crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230

high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238

crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332

high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339

crit Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw art-404

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

high SHA1-Hulud, npm supply chain incident art-686

crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736

high Supply Chain Security Alert: num2words PyPI Package Shows Signs of Compromise art-824

high Using insecure npm package manager defaults to steal your macOS keyboard shortcuts art-1425