Description
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Platforms
Mitigations (5)
Update SoftwareM1051
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
User Account ManagementM1018
Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.
User TrainingM1017
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.
Restrict Web-Based ContentM1021
Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.
Password PoliciesM1027
Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.
Threat Groups (23)
| ID | Group | Context |
|---|---|---|
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) dumped the login data database from <code>\AppData\Local\Google\Chrome\User Data\Default\Login Data... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from pa... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to steal credentials from installed web browsers including Microsoft Internet Explo... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has used tools to dump passwords from browsers.(Citation: Symantec Buckeye) |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) ... |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chr... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne.(Citation: Syma... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in brows... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Te... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has run tools including Browser64 to steal passwords saved in victim web browsers.(Citation: Syman... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has obtained passwords and session tokens with the use of the Redline password stealer.(Citation: MST... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used a [Mimikatz](https://attack.mitre.org/software/S0002)-based tool and a PowerShell script to s... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017) |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation:... |
| G0130 | Ajax Security Team | [Ajax Security Team](https://attack.mitre.org/groups/G0130) has used FireMalv custom-developed malware, which collected passwords from the Firefox bro... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefo... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has targeted network administrator browser data including browsing history and stored credenti... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used browser extensions including Google Chrome to steal passwords and cookies from browsers. [Ki... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [LaZagne](https://attack.mitre.org/software/S0349) to steal ... |
Associated Software (64)
| ID | Name | Type | Context |
|---|---|---|---|
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(C... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has stolen passwords saved in web browsers.(Citation: Esentire ContagiousInterview BeaverTail In... |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, an... |
| S0132 | H1N1 | Malware | [H1N1](https://attack.mitre.org/software/S0132) dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.(Citation: Cisco H1N1 Part ... |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security ... |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has a PasswordRecoveryPacket module for recovering browser passwords.(Citation: QiAnXin AP... |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) contains a module that tries to obtain stored credentials from web browsers.(Citation: Ta... |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and E... |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) can steal saved usernames and passwords in Chrome as well as credit card credentials.(Citation:... |
| S1042 | SUGARDUMP | Malware | [SUGARDUMP](https://attack.mitre.org/software/S1042) variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.(Citat... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has gathered credential and other information from multiple browsers.(Citation: Cybereason Lu... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to grab passwords from numerous web browsers as well as from Outlook and Thun... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has stolen credentials stored in Chrome.(Citation: Zscaler Kimsuky TRANSLATEXT) |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Tal... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group1... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from common web browsers.(Citation: GitHub QuasarRAT)(Citation: Volexity Pat... |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.(Cit... |
| S0153 | RedLeaves | Malware | [RedLeaves](https://attack.mitre.org/software/S0153) can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018) |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules for stealing credentials from various browsers and applications, including Chrome, O... |
| S0436 | TSCookie | Malware | [TSCookie](https://attack.mitre.org/software/S0436) has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome bro... |
References
- Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.
- Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.
- Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.
Frequently Asked Questions
What is T1555.003 (Credentials from Web Browsers)?
T1555.003 is a MITRE ATT&CK technique named 'Credentials from Web Browsers'. It belongs to the Credential Access tactic(s). Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website us...
How can T1555.003 be detected?
Detection of T1555.003 (Credentials from Web Browsers) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1555.003?
There are 5 documented mitigations for T1555.003. Key mitigations include: Update Software, User Account Management, User Training, Restrict Web-Based Content, Password Policies.
Which threat groups use T1555.003?
Known threat groups using T1555.003 include: Patchwork, APT41, ZIRCONIUM, Malteiro, APT3, APT33, Stealth Falcon, Leafminer.