Common Information
| Type | Value |
|---|---|
| Value |
Credentials from Web Browsers - T1503 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-06-28 | 144 | Raccoon Stealer v2 - Part 1: The return of the dead | ||
| Details | Website | 2022-06-14 | 26 | QBot returns with new TTPS – Detection & Response - Security Investigation | ||
| Details | Website | 2022-05-27 | 50 | Emotet Analysis: New LNKs in the Infection Chain | Kroll | ||
| Details | Website | 2022-05-17 | 679 | Space Pirates: analyzing the tools and connections of a new hacker group | ||
| Details | Website | 2022-05-08 | 57 | Ursnif Malware Banks on News Events for Phishing Attacks | Qualys Security Blog | ||
| Details | Website | 2022-03-07 | 128 | Fake Purchase Order Used to Deliver Agent Tesla | FortiGuard Labs | ||
| Details | Website | 2022-02-24 | 123 | Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA | ||
| Details | Website | 2022-02-23 | 314 | (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant | ||
| Details | Website | 2022-02-07 | 2 | Trellix Global Defenders: Invasion of the Information Snatchers - Protecting against RedLine Infostealer | ||
| Details | Website | 2022-02-02 | 27 | Catching the RAT called Agent Tesla | Qualys Security Blog | ||
| Details | Website | 2022-01-21 | 24 | Analysis of Xloader’s C2 Network Encryption | Zscaler | ||
| Details | Website | 2021-10-26 | 2 | Mercenary APTs - An Exploration | ||
| Details | Website | 2021-07-20 | 3 | Fighting new Ransomware Techniques with McAfee’s Latest Innovations | McAfee Blog | ||
| Details | Website | 2021-06-01 | 52 | Backdoors, RATs, Loaders evasion techniques | ||
| Details | Website | 2021-05-14 | 58 | DarkSide Ransomware Victims Sold Short | McAfee Blog | ||
| Details | Website | 2021-05-10 | 47 | IcedID Banking Trojan Malware Threat Intel Advisory | Threat Intelligence | CloudSEK | ||
| Details | Website | 2021-04-06 | 93 | Janeleiro, the time traveler: A new old banking trojan in Brazil | WeLiveSecurity | ||
| Details | Website | 2021-03-05 | 82 | Earth Vetala MuddyWater Continues to Target Organizations in the Middle East | ||
| Details | Website | 2021-01-20 | 39 | Commonly Known Tools Used by Lazarus - JPCERT/CC Eyes | ||
| Details | Website | 2021-01-12 | 70 | Operation Spalax: Targeted malware attacks in Colombia | WeLiveSecurity | ||
| Details | Website | 2020-12-15 | 74 | QakBot reducing its on disk artifacts - Hornetsecurity | ||
| Details | Website | 2020-12-02 | 100 | IcedID Stealer Man-in-the-browser Banking Trojan | ||
| Details | Website | 2020-10-27 | 61 | APT-31 Leverages COVID-19 Vaccine Theme | Zscaler Blog | ||
| Details | Website | 2020-10-27 | 49 | North Korean Advanced Persistent Threat Focus: Kimsuky | CISA | ||
| Details | Website | 2020-10-24 | 31 | Emotet Malware | CISA |