DET0633: Detection of Credentials from Password Store
DET0633 is a mobile ATT&CK detection strategy tied to detecting attempts to obtain credentials from password stores. Its practical value is identity-risk r...
Analyst context for executives and security teams
DET0633 is a mobile ATT&CK detection strategy tied to detecting attempts to obtain credentials from password stores. Its practical value is identity-risk reduction: if an adversary can access saved passwords on an iOS device, those credentials may enable access to restricted information or support movement into other systems. Because MITRE provides no official detection logic for this strategy, organizations should treat it as a validation prompt rather than an out-of-the-box analytic.
Executive priority
Prioritize this where mobile devices hold business credentials, privileged access, or regulated data access. Leaders should ask whether mobile credential storage is governed, whether iOS security telemetry is available to the SOC, and whether incident response can quickly determine if stored credentials were exposed and need rotation. This also supports audit and compliance evidence around mobile access controls, credential protection, and incident readiness.
Technical view
SOC and IR teams should validate coverage around the related mobile technique T1634, Credentials from Password Store, on iOS. Focus on whether the environment can observe suspicious access to credential storage locations or password-management applications, correlate that activity with device posture and user context, and trigger a credential exposure response when appropriate. Since ATT&CK supplies no detection pseudocode, thresholds, data sources, or tactics for DET0633, local engineering is required to define normal versus suspicious credential-store access.
Likely telemetry
- Mobile device management or enterprise mobility management device posture and compliance events
- iOS security or endpoint telemetry where available
- Application inventory and password-manager presence or configuration data
- Authentication logs for accounts used from enrolled mobile devices
- Identity provider events showing unusual sign-in patterns after suspected mobile credential access
Detection direction
- Confirm whether mobile/iOS telemetry can show access to credential stores or password-management applications; many environments will have limited visibility here.
- Correlate suspected credential-store access with device health, jailbreak or policy-compliance status if available, and subsequent authentication activity.
- Tune carefully around legitimate password-manager usage to avoid high false-positive rates.
- Use the relationship to T1634 to drive investigation playbooks: determine what credentials may have been stored, whether they were accessed, and whether account rotation is required.
- Document telemetry gaps explicitly, because MITRE does not provide official detection content for DET0633.
Mitigation priorities
- Establish mobile credential-storage policy for business accounts and managed devices.
- Enforce mobile device management controls and compliance requirements for devices accessing enterprise resources.
- Use strong identity controls such as phishing-resistant MFA where applicable to reduce the value of recovered passwords.
- Prepare IR procedures for suspected mobile credential exposure, including account review, session revocation, and credential reset decisions.
- Review password-manager and application governance so stored business credentials are protected and auditable.
Analyst notes and limits
This take is based on the ATT&CK detection strategy DET0633 and its relationship to mobile technique T1634, Credentials from Password Store. The only supported platform context comes from the related technique, which lists iOS. The business significance is credential exposure and downstream access risk, not a claim of known exploitation or complete detectability.
The ATT&CK object has no official description, detection text, tactics, platforms, aliases, or labels. Detection engineering must rely on local mobile management, identity, endpoint, and incident response data. Coverage will vary significantly by device ownership model, iOS telemetry availability, and password-management practices.
Detection of Credentials from Password Store
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1634 | Credentials from Password Store | This object detects Credentials from Password Store. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ad0c96f5afbd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0633Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.