Credentials from Password Stores: Учетные данные из браузеров
Other sub-techniques of Credentials from Password Stores (6)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Примеры процедур |
|
| Название | Описание |
|---|---|
| TrickBot |
TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021) |
| Backdoor.Oldrea |
Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.(Citation: Symantec Dragonfly) |
| Smoke Loader |
Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018) |
| SILENTTRINITY |
SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| RedLeaves |
RedLeaves can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018) |
| RainyDay |
RainyDay can use tools to collect credentials from web browsers.(Citation: Bitdefender Naikon April 2021) |
| NETWIRE |
NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
| OLDBAIT |
OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.(Citation: FireEye APT28) |
| CosmicDuke |
CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.(Citation: F-Secure The Dukes) |
| Emotet |
Emotet has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017) |
| Olympic Destroyer |
Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018) |
| Crimson |
Crimson contains a module to steal credentials from Web browsers on the victim machine.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
| Empire |
Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.(Citation: Github PowerShell Empire) |
| Machete |
Machete collects stored credentials from several web browsers.(Citation: ESET Machete July 2019) |
| Prikormka |
A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.(Citation: ESET Operation Groundbait) |
| TRANSLATEXT |
TRANSLATEXT has stolen credentials stored in Chrome.(Citation: Zscaler Kimsuky TRANSLATEXT) |
| Mispadu |
Mispadu can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023) |
| BlackEnergy |
BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014) |
| XAgentOSX | |