Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0430: Detect Credentials Access from Password Stores

DET0430 is a detection strategy tied to ATT&CK technique T1555, Credentials from Password Stores. The business issue is not just “password theft”; it is th...

EnterpriseDET0430Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0430 is a detection strategy tied to ATT&CK technique T1555, Credentials from Password Stores. The business issue is not just “password theft”; it is that credentials taken from local password stores, password managers, or cloud secrets vaults can let an intruder bypass normal perimeter controls and continue activity as a legitimate user or service. Leaders should treat this as an identity, endpoint, cloud, and incident-response readiness problem rather than a single alert use case.

Executive priority

Prioritize this behavior where credential reuse, privileged accounts, service accounts, cloud secrets, or password manager usage could affect business continuity. Useful executive questions include: Do we know where credentials and secrets are stored across Windows, macOS, Linux, and IaaS environments? Can the SOC see suspicious access to those stores? Can IR rapidly determine which credentials may need rotation? This also supports audit and compliance evidence around credential protection, monitoring, and response procedures.

Technical view

The ATT&CK object provides no official detection logic, so teams should validate coverage against the related technique T1555 rather than assume a complete analytic exists. SOC and detection engineers should map where password stores, browser credential stores, password managers, and cloud secrets vaults exist in their environment, then confirm telemetry exists for abnormal access, enumeration, export, copying, or process interaction with those stores. IR teams should ensure playbooks include scoping of accessed stores and rapid credential reset or secret rotation decisions.

Likely telemetry

  • Endpoint process creation and command-line telemetry on Windows, macOS, and Linux systems
  • File access, file modification, and sensitive path access events for known credential storage locations
  • Authentication and identity logs showing follow-on use of potentially exposed accounts
  • Cloud control-plane and secrets-vault audit logs for IaaS and managed secret access
  • Application logs from password managers or enterprise credential management tools, where available

Detection direction

  • Start with an asset and secrets-store inventory; detection quality depends on knowing which password stores and vaults actually exist.
  • Tune for unusual access patterns rather than only known tool names, because legitimate administrative tools and backup processes may touch credential-related locations.
  • Correlate suspicious password-store access with subsequent authentication, privilege use, or lateral movement indicators to improve triage value.
  • Validate platform coverage across the related technique scope: IaaS, Linux, macOS, and Windows. The detection-strategy object itself does not specify platforms.
  • Document blind spots where endpoint telemetry, vault audit logging, or password-manager logging is unavailable or not retained long enough for investigation.

Mitigation priorities

  • Reduce credential exposure first: minimize stored credentials and enforce least privilege for users, services, and vault access.
  • Harden access to password stores, password managers, and cloud secrets vaults with strong authentication and role-based access controls.
  • Ensure logging is enabled and retained for endpoint access to credential stores and cloud secret retrieval events.
  • Prepare IR procedures for credential invalidation, password reset, token revocation, and secret rotation when suspicious access is confirmed.
  • Use detection testing or purple-team validation to confirm that telemetry and playbooks work in the local environment without assuming ATT&CK coverage equals operational coverage.
Analyst notes and limits

This take is based on the detection-strategy object DET0430 and its relationship to T1555, Credentials from Password Stores. Because the official object includes no description or detection text, the practical guidance is derived only from the supplied relationship context: credential access involving common password storage locations, password managers, and cloud secrets vaults across IaaS, Linux, macOS, and Windows.

No official DET0430 detection logic, platforms, tactics, or description were supplied. Local engineering is required to identify relevant password stores, available logs, normal administrative behavior, and false-positive patterns. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detect Credentials Access from Password Stores

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1555 Credentials from Password Stores This object detects Credentials from Password Stores.
Relationship explorer

All related ATT&CK context

detects · Technique T1555: Credentials from Password Stores Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d27d8c3ff121fce8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d27d8c3ff121…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0430
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use