Common Information
| Type | Value |
|---|---|
| Value |
Credentials from Web Browsers - T1503 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-07-27 | 117 | Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector | ||
| Details | Website | 2023-07-25 | 6 | APT Profile: Kimsuky - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2023-07-18 | 15 | Rewterz Threat Alert – STRRAT Malware – Active IOCs | ||
| Details | Website | 2023-07-13 | 43 | Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group | ||
| Details | Website | 2023-07-05 | 16 | Rewterz Threat Alert – STRRAT Malware – Active IOCs | ||
| Details | Website | 2023-06-15 | 37 | eSentire Threat Intelligence Malware Analysis: Aurora Stealer | ||
| Details | Website | 2023-06-14 | 0 | Alert Windows Users: New Skuld Malware Steals Discord and Browser data | ||
| Details | Website | 2023-06-14 | 23 | Understanding Ransomware Threat Actors: LockBit – Cyber Safe NV | ||
| Details | Website | 2023-06-07 | 15 | Infostealer Prynt Malware a Deep Dive into Its Process Injection Technique - CYFIRMA | ||
| Details | Website | 2023-06-02 | 91 | Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure | ||
| Details | Website | 2023-05-30 | 64 | Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals | ||
| Details | Website | 2023-05-30 | 66 | Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals | ||
| Details | Website | 2023-05-12 | 1 | Rewterz Threat Update – New Cactus Ransomware Exploits VPN Flaws to Infiltrate Networks | ||
| Details | Website | 2023-05-10 | 66 | CACTUS ransomware | Cyber Threat Intelligence | Kroll | ||
| Details | Website | 2023-05-09 | 0 | New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks | ||
| Details | Website | 2023-05-09 | 0 | New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks - RedPacket Security | ||
| Details | Website | 2023-05-02 | 54 | Polish Healthcare Industry Targeted by Vidar Infostealer Likely Linked to Djvu Ransomware | ||
| Details | Website | 2023-05-01 | 47 | SeroXen RAT for sale | ||
| Details | Website | 2023-04-30 | 6 | Malware Trends Report: Q1, 2023 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2023-04-26 | 15 | Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram | ||
| Details | Website | 2023-04-19 | 19 | New Variants of Qakbot Banking Trojan | ||
| Details | Website | 2023-04-18 | 9 | Zaraza Bot: New Malware Uses Telegram for Command & Control | ||
| Details | Website | 2023-04-03 | 22 | Anomali Cyber Watch: Balada Injector Exploits WordPress Elementor Pro, Icon 3CX Stealer Detected by YARA, Koi Loader-Stealer Compresses-then-Encrypts Memory Streams | ||
| Details | Website | 2023-03-27 | 64 | The many faces of the IcedID attack kill chain | ||
| Details | Website | 2023-03-22 | 9 | APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc. |