Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Credentials from Password Stores:  Учетные данные из браузеров

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager. Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

ID: T1555.003
Относится к технике:  T1555
Тактика(-и): Credential Access
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Access
Версия: 1.2
Дата создания: 12 Feb 2020
Последнее изменение: 15 Aug 2024

Примеры процедур

Название Описание
njRAT

njRAT has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)

BlackEnergy

BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)

H1N1

H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.(Citation: Cisco H1N1 Part 2)

Mispadu

Mispadu can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)

Imminent Monitor

Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.(Citation: QiAnXin APT-C-36 Feb2019)

Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018)

Javali

Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.(Citation: Securelist Brazilian Banking Malware July 2020)

CookieMiner

CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.(Citation: Unit42 CookieMiner Jan 2019)

Patchwork

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.(Citation: Cymmetria Patchwork)

SUGARDUMP

SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.(Citation: Mandiant UNC3890 Aug 2022)

APT41

APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.(Citation: Rostovcev APT41 2021)

WarzoneRAT

WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

ZIRCONIUM

ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.(Citation: Zscaler APT31 Covid-19 October 2020)

KONNI

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Talos Konni May 2017)

Malteiro

Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.(Citation: SCILabs Malteiro 2021)

During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.(Citation: CrowdStrike StellarParticle January 2022)

ROKRAT

ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123)

QuasarRAT

QuasarRAT can obtain passwords from common web browsers.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)

APT3

APT3 has used tools to dump passwords from browsers.(Citation: Symantec Buckeye)

LaZagne

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.(Citation: GitHub LaZagne Dec 2018)

APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

RedLeaves

RedLeaves can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018)

Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.(Citation: Citizen Lab Stealth Falcon May 2016)

MgBot

MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)

TSCookie

TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.(Citation: JPCert TSCookie March 2018)

Smoke Loader

Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018)

Agent Tesla

Agent Tesla can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020)

P