ID | Name |
---|---|
T1555.001 | Keychain |
T1555.002 | Securityd Memory |
T1555.003 | Credentials from Web Browsers |
T1555.004 | Windows Credential Manager |
T1555.005 | Password Managers |
T1555.006 | Cloud Secrets Management Stores |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data
and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;
. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData
, which uses the victim’s cached logon credentials as the decryption key.[2]
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[3][4] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla can gather credentials from a number of browsers.[6] |
G0130 | Ajax Security Team |
Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[7] |
G0022 | APT3 | |
G0064 | APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[9][10] |
G0067 | APT37 |
APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[11] |
G0096 | APT41 |
APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.[12] |
S0344 | Azorult |
Azorult can steal credentials from the victim's browser.[13] |
S0093 | Backdoor.Oldrea |
Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[14] |
S0089 | BlackEnergy |
BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.[15][16] |
S0657 | BLUELIGHT |
BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.[17] |
S0484 | Carberp |
Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[18] |
S0631 | Chaes |
Chaes can steal login credentials and stored financial information from the browser.[19] |
S0144 | ChChes |
ChChes steals credentials stored inside Internet Explorer.[20] |
S0492 | CookieMiner |
CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.[21] |
S0050 | CosmicDuke |
CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[22] |
S0115 | Crimson |
Crimson contains a module to steal credentials from Web browsers on the victim machine.[23][24] |
S0367 | Emotet |
Emotet has been observed dropping browser password grabber modules. [25][26] |
S0363 | Empire |
Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[27] |
G0037 | FIN6 |
FIN6 has used the Stealer One credential stealer to target web browsers.[28] |
S0531 | Grandoreiro |
Grandoreiro can steal cookie data and credentials from Google Chrome.[29][30] |
S0132 | H1N1 |
H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[31] |
G1001 | HEXANE |
HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.[32] |
S0434 | Imminent Monitor |
Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.[33] |
G0100 | Inception |
Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.[34] |
S0528 | Javali |
Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.[35] |
S0283 | jRAT |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[36] |
S0387 | KeyBoy | |
S0526 | KGH_SPY |
KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.[38] |
G0094 | Kimsuky |
Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.[39][40][41][42] |
S0356 | KONNI |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[43] |
G1004 | LAPSUS$ |
LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.[44] |
S0349 | LaZagne |
LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[45] |
G0077 | Leafminer |
Leafminer used several tools for retrieving login and password information, including LaZagne.[46] |
S0681 | Lizar |
Lizar has a module to collect usernames and passwords stored in browsers.[47] |
S0447 | Lokibot |
Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[48] |
S0409 | Machete |
Machete collects stored credentials from several web browsers.[49] |
G1026 | Malteiro |
Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.[50] |
S1156 | Manjusaka |
Manjusaka gathers credentials from Chromium-based browsers.[51] |
S0530 | Melcoz |
Melcoz has the ability to steal credentials from web browsers.[35] |
S1146 | MgBot |
MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[52][53] |
S0002 | Mimikatz |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[54][55][56][57] |
S1122 | Mispadu |
Mispadu can steal credentials from Google Chrome.[50][58][59] |
G0021 | Molerats |
Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[60] |
G0069 | MuddyWater |
MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.[61][62] |
S0198 | NETWIRE |
NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.[63][64][65] |
S0385 | njRAT |
njRAT has a module that steals passwords saved in victim web browsers.[66][67][68] |
G0049 | OilRig |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[69][70][71][72] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[72] |
S0138 | OLDBAIT |
OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.[73] |
S0365 | Olympic Destroyer |
Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1] |
G0040 | Patchwork |
Patchwork dumped the login data database from |
S0048 | PinchDuke |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. [22] |
S0435 | PLEAD |
PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[75][76] |
S0428 | PoetRAT |
PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.[77] |
S0113 | Prikormka |
A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[78] |
S0279 | Proton | |
S0192 | Pupy | |
S0650 | QakBot |
QakBot has collected usernames and passwords from Firefox and Chrome.[81] |
S0262 | QuasarRAT |
QuasarRAT can obtain passwords from common web browsers.[82][83] |
S1148 | Raccoon Stealer |
Raccoon Stealer collects passwords, cookies, and autocomplete information from various popular web browsers.[84] |
S0629 | RainyDay |
RainyDay can use tools to collect credentials from web browsers.[85] |
G1039 | RedCurl |
RedCurl used LaZagne to obtain passwords from web browsers.[86][87] |
S0153 | RedLeaves | |
S0240 | ROKRAT |
ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[89] |
G0034 | Sandworm Team |
Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[90] |
S0692 | SILENTTRINITY |
SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[91] |
S0226 | Smoke Loader |
Smoke Loader searches for credentials stored from web browsers.[92] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.[93] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.[94] |
S1042 | SUGARDUMP |
SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.[95] |
G0092 | TA505 |
TA505 has used malware to gather credentials from Internet Explorer.[96] |
S0266 | TrickBot |
TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[97][98][99] |
S0094 | Trojan.Karagany |
Trojan.Karagany can steal data and credentials from browsers.[100] |
S0436 | TSCookie |
TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.[101] |
S0130 | Unknown Logger |
Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.[102] |
G1017 | Volt Typhoon |
Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.[103] |
S0670 | WarzoneRAT |
WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.[104][105] |
S0161 | XAgentOSX |
XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[106] |
S0251 | Zebrocy |
Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[107] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.[108] |
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies |
Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers. |
M1021 | Restrict Web-Based Content |
Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. |
M1051 | Update Software |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
M1018 | User Account Management |
Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access. |
M1017 | User Training |
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[1] Analytic 1 - Commands indicating credential searches in web browsers.
|
DS0022 | File | File Access |
Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: Analytic 1 - Unauthorized access to web browser credential files.
|
DS0009 | Process | OS API Execution |
Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[1] Analytic 1 - Suspicious API calls related to web browser credential access.
|
Process Access |
Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.). Analytic 1 - Unauthorized process access indicating credential searches in web browsers.
|