Common Information
| Type | Value |
|---|---|
| Value |
Credentials from Web Browsers - T1503 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-08 | 8 | SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims - CyberSRC | ||
| Details | Website | 2024-11-04 | 24 | From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West | ||
| Details | Website | 2024-10-28 | 21 | Malware Trends Report: Q3, 2024 | ||
| Details | Website | 2024-10-25 | 58 | HeptaX: Unauthorized RDP Connections For Cyberespionage Operations | ||
| Details | Website | 2024-10-22 | 21 | Malware Trends Report: Q3, 2024 | ||
| Details | Website | 2024-10-22 | 21 | Malware Trends Report: Q3, 2024 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-10-17 | 16 | Dark Web Profile: Evil Corp - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2024-10-17 | 16 | Dark Web Profile: Evil Corp | ||
| Details | Website | 2024-10-16 | 4 | 5 Techniques for Collecting Cyber Threat Intelligence | ||
| Details | Website | 2024-10-16 | 4 | 5 Techniques for Collecting Cyber Threat Intelligence - RedPacket Security | ||
| Details | Website | 2024-09-19 | 2 | New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails | ||
| Details | Website | 2024-09-19 | 2 | New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails - RedPacket Security | ||
| Details | Website | 2024-09-18 | 33 | How to Collect Threat Intelligence Using Search Parameters in TI Lookup | ||
| Details | Website | 2024-09-12 | 71 | Crystal Rans0m: Emerging hybrid ransomware with stealer capabilities | ||
| Details | Website | 2024-09-04 | 0 | The Hidden Threat: LummaC2 Trojan Stealer Infecting GitHub Projects | ||
| Details | Website | 2024-09-04 | 36 | The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government - Cyble | ||
| Details | Website | 2024-08-30 | 17 | Snake Keylogger Attack Windows Using Weaponized Excel Doc | ||
| Details | Website | 2024-08-29 | 6 | New Snake Keylogger Variant Slithers Into Phishing Campaigns | ||
| Details | Website | 2024-08-28 | 27 | Deep Analysis of Snake Keylogger’s New Variant | FortiGuard Labs | ||
| Details | Website | 2024-08-22 | 82 | Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script | ||
| Details | Website | 2024-07-30 | 4 | Phishing targeting Polish SMBs continues via ModiLoader | ||
| Details | Website | 2024-07-15 | 42 | CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks | ||
| Details | Website | 2024-07-01 | 62 | Kimsuky deploys TRANSLATEXT to target South Korean academia | ||
| Details | Website | 2024-04-04 | 67 | BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts | ||
| Details | Website | 2024-03-20 | 18 | Rescoms rides waves of AceCryptor spam |