EXPLORE
Sign In
← Back to Explore
T1555.003

Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted c...

LinuxmacOSWindows
15
Detections
3
Sources
23
Threat Actors

BY SOURCE

7sigma5splunk_escu3elastic

PROCEDURES (11)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Event Log2 detections

Auto-extracted: 2 detections for event log

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (23)

Ajax Security TeamAPT3APT33APT37APT41APT42FIN6HEXANEInceptionKimsukyLAPSUS$LeafminerMalteiroMoleratsMuddyWaterOilRigPatchworkRedCurlSandworm TeamStealth FalconTA505Volt TyphoonZIRCONIUM

DETECTIONS (15)

Access to Browser Login Data
sigmamedium
Browser Process Spawned from an Unusual Parent
elastichigh
HackTool - WinPwn Execution
sigmahigh
HackTool - WinPwn Execution - ScriptBlock
sigmahigh
Keychain Password Retrieval via Command Line
elastichigh
Non Chrome Process Accessing Chrome Default Dir
splunk_escu
Non Firefox Process Access Firefox Profile Dir
splunk_escu
Possible Browser Pass View Parameter
splunk_escu
Potential Browser Data Stealing
sigmamedium
PUA - WebBrowserPassView Execution
sigmamedium
SQLite Chromium Profile Data DB Access
sigmahigh
Suspicious File Access to Browser Credential Storage
sigmalow
Suspicious Web Browser Sensitive File Access
elastichigh
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
splunk_escu
Windows Credentials from Web Browsers Saved in TEMP Folder
splunk_escu