Credentials from Password Stores: Credentials from Web Browsers

ID Name
VT0021.001 Keychain
VT0021.002 Securityd Memory
VT0021.003 Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials and other sensitive information.

For example, in the case of web-based SSH for accessing SSH servers through standard web browsers, the associated machine identities might be saved locally. Adversaries may attempt to extract any associated machine identities in plaintext to perform Lateral Movement.

Procedure Examples

Name Description
Machete

Machete collects stored credentials from several web browsers.[2]

Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[3][4][5][6]

PLEAD

PLEAD has the ability to steal saved credentials from web browsers.[7][8]

TrickBot

TrickBot can obtain credentials stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.[9][10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

References

Attachments

ID
VT0021.003
Sub-techniques
Tactic
Credential Access
Platforms
Linux
Windows
macOS
Permissions Required
User
Data Sources
API monitoring
File monitoring
PowerShell logs
Process monitoring
Version
1.0

Created: 29 December 2020

Last Modified: 29 December 2020