Credentials from Web Browsers

Information

• Name: Credentials from Web Browsers

• ID: T1555.003

• Tactics: TA0006

• Technique: T1555

Introduction

The MITRE ATT&CK sub-technique Credentials from Web Browsers (T1555.003) falls under the broader credential access category. Attackers leverage this method to extract stored authentication credentials, such as usernames and passwords, from popular web browsers. Modern browsers often store sensitive credentials locally for user convenience, making them attractive targets for adversaries seeking unauthorized access or lateral movement within compromised environments.

Deep Dive Into Technique

Attackers typically execute this sub-technique by accessing browser-specific credential storage mechanisms. Browsers store credentials using different methods, including encrypted databases, JSON files, or other proprietary formats. Common browsers targeted include Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, and Safari.

Technical execution methods include:

• Chrome and Chromium-based Browsers:

  • Credentials stored in SQLite databases (Login Data file).

  • Passwords encrypted with Windows DPAPI (Data Protection API) on Windows or Keychain on macOS.

  • Attackers use tools such as ChromePass, SharpChromium, or custom scripts to extract and decrypt these credentials.

• Mozilla Firefox:

  • Credentials stored in JSON format (logins.json) and encrypted using a master key stored in key4.db or key3.db.

  • Attackers leverage tools like Firepwd, Firefox Decrypt, or custom Python scripts to extract and decrypt credentials.

• Microsoft Edge:

  • Similar to Chrome, stores credentials in SQLite databases encrypted with Windows DPAPI.

  • Tools like EdgePasswords and SharpDPAPI are commonly used by adversaries.

• Safari:

  • Credentials stored in macOS Keychain.

  • Attackers typically use built-in macOS commands (security) or third-party scripts to extract credentials.

Attackers may automate credential extraction processes using scripting languages like Python, PowerShell, or batch scripts, facilitating rapid credential harvesting across multiple compromised hosts.

When this Technique is Usually Used

Credential extraction from web browsers typically occurs during:

• Initial Access and Reconnaissance: Attackers who gain initial footholds on endpoints may immediately attempt to extract credentials for further exploitation.

• Privilege Escalation and Lateral Movement: Credentials harvested from browsers often provide access to additional user accounts, internal portals, or cloud services, enabling attackers to move laterally within the network.

• Persistence and Data Exfiltration: Attackers may periodically extract browser credentials to maintain persistent access or exfiltrate sensitive user data for future attacks or resale.

Common attack scenarios include:

• Phishing campaigns delivering malware or scripts designed to harvest browser credentials.

• Malware infections, such as info stealers (RedLine Stealer, Vidar, Raccoon Stealer), specifically targeting browser-stored credentials.

• Insider threats manually extracting credentials from browsers to misuse or sell sensitive information.

How this Technique is Usually Detected

Detection of credential extraction from web browsers involves monitoring endpoint activities, file access, and suspicious behavior patterns. Effective detection methods include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitor abnormal process executions, especially unusual scripts or binaries accessing browser credential files.

  • Detect suspicious command-line executions (e.g., PowerShell or Python scripts accessing browser credential storage locations).

• File Access Monitoring:

  • Logging and alerting on unauthorized access or modifications to sensitive browser credential files (Login Data, logins.json, key4.db, key3.db).

  • Monitoring access to DPAPI-protected files and keys.

• Behavioral Analytics:

  • Detecting unexpected access patterns or unusual data transfers from endpoints.

  • Identifying anomalous application behavior, such as browsers being accessed by unfamiliar processes or users.

• Specific Indicators of Compromise (IoCs):

  • Unusual processes or scripts accessing browser credential storage paths:

    • Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data

    • Firefox: %APPDATA%\Mozilla\Firefox\Profiles\[ProfileName]\logins.json, key4.db

    • Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data

  • Presence of known credential extraction tools (ChromePass, Firepwd, SharpChromium) on endpoints.

  • Suspicious outbound network traffic indicative of credential exfiltration.

Why it is Important to Detect This Technique

Early detection of credential extraction from web browsers is critical due to the substantial risks and impacts, including:

• Unauthorized Access: Stolen credentials allow attackers immediate access to sensitive user accounts, corporate resources, and cloud services.

• Lateral Movement: Attackers frequently use harvested credentials to pivot internally, escalating privileges, and compromising additional systems and data.

• Data Breaches and Compliance Violations: Credential theft can lead to significant data breaches, exposing sensitive personal, financial, or proprietary information, resulting in regulatory fines and reputational damage.

• Persistent Threats: Undetected credential extraction enables attackers to maintain long-term persistence, repeatedly accessing resources and exfiltrating data.

• Financial Losses and Operational Disruption: Compromised credentials can lead to direct financial theft, fraud, ransomware attacks, and disruption of business operations.

Detecting this technique early allows organizations to respond rapidly, mitigate damage, and strengthen security posture.

Examples

Real-world examples of credential extraction from web browsers include:

• RedLine Stealer Malware:

  • Widely observed malware designed specifically to harvest credentials from popular browsers like Chrome, Firefox, and Edge.

  • Distributed via phishing emails, malicious advertisements, and cracked software downloads.

  • Impact: Stolen credentials sold on underground forums, leading to widespread unauthorized access incidents.

• Vidar Stealer:

  • Malware-as-a-Service (MaaS) tool frequently distributed via phishing campaigns and malicious software bundles.

  • Extracts browser credentials alongside cryptocurrency wallet data, FTP credentials, and cookies.

  • Impact: Facilitates unauthorized access, financial theft, and identity fraud.

• APT29 (Cozy Bear) Operations:

  • Advanced Persistent Threat (APT) group known to leverage credential extraction from browsers during espionage campaigns.

  • Tools used include custom scripts and publicly available utilities to extract credentials from compromised endpoints.

  • Impact: Long-term espionage, data exfiltration, and lateral movement in targeted organizations.

• Insider Threat Scenarios:

  • Internal users manually extracting credentials from browsers using simple scripts or third-party utilities.

  • Impact: Unauthorized data access, account compromise, and insider fraud.

Tools commonly associated with credential extraction from browsers:

• ChromePass

• SharpChromium

• Firepwd

• Firefox Decrypt

• Mimikatz (DPAPI Credential Extraction)

• LaZagne (multi-browser credential extraction toolkit)

Understanding these real-world examples and tools helps defenders recognize the scope, methods, and impacts associated with this sub-technique.