| ID | Name |
|---|---|
| ATAGS-T1113.001 | Cloud Secrets Management Stores |
| ATAGS-T1113.002 | Credentials from Web Browsers |
| ATAGS-T1113.003 | Keychain |
| ATAGS-T1113.004 | Password Managers |
| ATAGS-T1113.005 | Securityd Memory |
| ATAGS-T1113.006 | Windows Credential Manager |
Threat Actors may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.