T1555.003 Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-02.01 Patch identification and application Mitigates T1555.003 Credentials from Web Browsers
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
References
    DE.CM-01.05 Website and service blocking Mitigates T1555.003 Credentials from Web Browsers
    Comments
    This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
    References
      PR.AA-01.02 Physical and logical access Mitigates T1555.003 Credentials from Web Browsers
      Comments
      This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
      References
        PR.AA-01.01 Identity and credential management Mitigates T1555.003 Credentials from Web Browsers
        Comments
        This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
        References

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1555.003 Credentials from Web Browsers
          attribute.confidentiality.data_disclosure None related-to T1555.003 Credentials from Web Browsers

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          alerts_for_linux_machines Alerts for Linux Machines technique_scores T1555.003 Credentials from Web Browsers
          Comments
          This control can detect command execution associated with this technique.
          References
          alerts_for_windows_machines Alerts for Windows Machines technique_scores T1555.003 Credentials from Web Browsers