Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1643: Analytic 1643

Detection of password manager database access (1Password .opvault, LastPass caches, KeePass .kdbx) outside expected parent processes. Identifies memory scraping attempts via suspicious API calls or tools attaching to password manager processes.

EnterpriseAN1643AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about protecting password manager secrets on macOS by looking for access to password manager databases or processes from unexpected places. For executives and security leaders, the decision value is straightforward: if password manager vault files or running password manager processes can be accessed outside normal application behavior, a compromise can quickly turn into broader credential exposure, incident escalation, and loss of confidence in identity controls.

Executive priority

Prioritize this as an identity and incident-readiness control validation, not just an endpoint alert. Leaders should ask whether macOS endpoints that use 1Password, LastPass, or KeePass produce enough telemetry to prove vault database access and suspicious process attachment can be investigated. This also supports audit and resilience discussions around privileged access, password manager governance, and whether SOC/IR teams can detect attempts to access stored secrets before they become wider account compromise.

Technical view

For macOS, validate monitoring around access to password manager database artifacts named in the ATT&CK description: 1Password .opvault, LastPass caches, and KeePass .kdbx. Detection engineering should focus on access to these files outside expected parent processes and on suspicious API calls or tools attaching to password manager processes. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams must define expected parent processes locally and test against their approved password manager clients, update mechanisms, backup tools, endpoint security tools, and administrative workflows.

Likely telemetry

  • macOS process execution and parent/child process context
  • File access events for password manager vault or cache files, including .opvault and .kdbx where present
  • Process-to-process access or attachment telemetry involving password manager processes
  • Endpoint security events indicating suspicious API calls or memory access behavior
  • User, host, and application inventory showing which macOS systems use 1Password, LastPass, or KeePass

Detection direction

  • Establish a baseline of legitimate password manager processes and expected parent processes on macOS.
  • Alert or hunt for vault or cache file access by processes that are not approved password manager clients, backup agents, security tools, or documented administrative utilities.
  • Validate visibility into process attachment or memory-access behavior against password manager processes; absence of this telemetry is a material blind spot for this analytic.
  • Tune carefully for false positives from endpoint protection, backup, indexing, migration, or enterprise management tools that may legitimately inspect files or processes.
  • Because no ATT&CK relationships are supplied, do not infer a specific tactic, threat actor, or malware linkage; use this analytic as behavior-focused credential protection coverage.

Mitigation priorities

  • Confirm approved password manager use and file locations on macOS endpoints before building detections.
  • Restrict local access to password manager database and cache files using standard endpoint hardening and least-privilege practices.
  • Reduce unnecessary administrative tooling or scripting access to user vault locations and password manager processes.
  • Ensure SOC and IR playbooks treat suspicious password manager access as a potential credential exposure event requiring identity review.
  • Use findings to improve password manager governance, endpoint telemetry coverage, and evidence for access-control compliance.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS password manager database access and possible memory scraping behavior. Its strongest value is helping teams verify whether endpoint telemetry can distinguish normal password manager activity from unusual file or process access. Local baselining is essential because expected parent processes and legitimate tools vary by organization.

Official detection logic, tactics, relationships, aliases, and labels were not provided. This take is limited to the supplied macOS platform, description, external reference, and object metadata. It does not assert active exploitation, attribution, business impact, or existing detection coverage.

Official MITRE ATT&CK definition

Analytic 1643

Detection of password manager database access (1Password .opvault, LastPass caches, KeePass .kdbx) outside expected parent processes. Identifies memory scraping attempts via suspicious API calls or tools attaching to password manager processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
12b27073b9561b7d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 12b27073b956…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1643
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use