Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-02.01 | Patch identification and application | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
References
|
DE.CM-01.05 | Website and service blocking | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
References
|
PR.AA-01.02 | Physical and logical access | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1555.003 | Credentials from Web Browsers | |
attribute.confidentiality.data_disclosure | None | related-to | T1555.003 | Credentials from Web Browsers |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|