T1555.003: Credentials from Web Browsers

Data from MITRE ATT&CK®:

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Password Policies

Set and enforce secure password policies for accounts.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Access (Process)

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

OS API Execution (Process)

Operating system function/method calls executed by a process

Stage Popular Credential Files for Exfiltration

windows

WinPwn - PowerSharpPack - Sharpweb for Browser Credentials

windows

Simulating access to Windows Edge Login Data

windows

Dump Chrome Login Data with esentutl

windows

Simulating access to Windows Firefox Login Data

windows

Search macOS Safari Cookies

macos

Decrypt Mozilla Passwords with Firepwd.py

windows

LaZagne.py - Dump Credentials from Firefox Browser

linux

WinPwn - BrowserPwn

windows

Simulating access to Opera Login Data

windows

Simulating access to Chrome Login Data

windows

WinPwn - Loot local Credentials - mimi-kittenz

windows

BrowserStealer (Chrome / Firefox / Microsoft Edge)

windows

LaZagne - Credentials from Browser

windows

Simulating Access to Chrome Login Data - MacOS

macos

WebBrowserPassView - Credentials from Browser

windows

Run Chrome-password Collector

windows

Access to Browser Login Data

windows ps script

SQLite Chromium Profile Data DB Access

windows process creation

HackTool - WinPwn Execution - ScriptBlock

windows ps script

HackTool - WinPwn Execution

windows process creation

PUA - WebBrowserPassView Execution

windows process creation

Potential Browser Data Stealing

windows process creation