T1555.003: Credentials from Web Browsers
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data
and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;
. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData
, which uses the victim’s cached logon credentials as the decryption key.
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-765: Credential_Access_to_Passwords_Storage: Access to files containing credentials (browsers, password managers) is detected
mitre_attck_lateral_movement: PT-CR-1927: Start_Browser_Pivoting: A browser was started with remote debugging enabled, which can be used to forward traffic to an attacker's machine
mitre_attck_lateral_movement: PT-CR-1928: Subrule_Browser_Remote_Debugging: Attempt to start a browser with remote debugging enabled, which can be used to forward traffic to an attacker's machine
hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser. |
---|
ID | DS0009 | Data source and component | Process: Process Access | Description | Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.). |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: |
---|
Mitigation
ID | M1027 | Name | Password Policies | Description | Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers. |
---|