title: Credentials from Password Stores (T1555)
id: df00tech-t1555
status: experimental
description: "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information."
references:
  - https://attack.mitre.org/techniques/T1555/
  - https://df00tech.com/detections/T1555
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators using cmdkey /list to audit stored credentials during maintenance windows
  - macOS developers or sysadmins legitimately querying Keychain via the security command-line tool
  - Penetration testing teams running authorized credential audits with tools like LaZagne
  - Password manager applications performing legitimate credential operations
level: high