Esc
Credentials from Web Browsers - T1555.003

(ATT&CK® Technique)
Definition

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1555003["Credentials from Web Browsers"] --> |may-invoke| ReadFile["Read File"]; class T1555003 OffensiveTechniqueNode;
        class ReadFile ArtifactNode; click ReadFile href "/dao/artifact/d3f:ReadFile";
        click T1555003 href "/offensive-technique/attack/T1555.003/"; click ReadFile href "/dao/artifact/d3f:ReadFile"; T1555003["Credentials from Web Browsers"] --> |accesses| DatabaseFile["Database File"]; class T1555003 OffensiveTechniqueNode;
        class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
        click T1555003 href "/offensive-technique/attack/T1555.003/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile"; T1555003["Credentials from Web Browsers"] --> |may-access| In-memoryPasswordStore["In-memory Password Store"]; class T1555003 OffensiveTechniqueNode;
        class In-memoryPasswordStore ArtifactNode; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";
        click T1555003 href "/offensive-technique/attack/T1555.003/"; click In-memoryPasswordStore href "/dao/artifact/d3f:In-memoryPasswordStore";              T1555003["Credentials from Web Browsers"] --> |may-access| DatabaseFile["Database File"]; class T1555003 OffensiveTechniqueNode;
        class DatabaseFile ArtifactNode; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";
        click T1555003 href "/offensive-technique/attack/T1555.003/"; click DatabaseFile href "/dao/artifact/d3f:DatabaseFile";  T1555003["Credentials from Web Browsers"] --> |accesses| PasswordStore["Password Store"]; class T1555003 OffensiveTechniqueNode;
        class PasswordStore ArtifactNode; click PasswordStore href "/dao/artifact/d3f:PasswordStore";
        click T1555003 href "/offensive-technique/attack/T1555.003/"; click PasswordStore href "/dao/artifact/d3f:PasswordStore";                         SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | ReadFile["Read File"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1555003["Credentials from Web Browsers"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class ReadFile ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEviction["File Eviction"] -->
          | deletes | DatabaseFile["Database File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1555003["Credentials from Web Browsers"] ;
          class FileEviction DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                            FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | DatabaseFile["Database File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1555003["Credentials from Web Browsers"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";               FileEncryption["File Encryption"] -->
          | encrypts | DatabaseFile["Database File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1555003["Credentials from Web Browsers"] ;
          class FileEncryption DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";               SystemCallFiltering["System Call Filtering"] -->
          | filters | ReadFile["Read File"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1555003["Credentials from Web Browsers"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class ReadFile ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; DecoyFile["Decoy File"] -->
          | spoofs | DatabaseFile["Database File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1555003["Credentials from Web Browsers"] ;
          class DecoyFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            LocalFilePermissions["Local File Permissions"] -->
          | restricts | DatabaseFile["Database File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1555003["Credentials from Web Browsers"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                              RestoreFile["Restore File"] -->
          | restores | DatabaseFile["Database File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1555003["Credentials from Web Browsers"] ;
          class RestoreFile DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
          | restores | In-memoryPasswordStore["In-memory Password Store"];

          RestoreDatabase["Restore Database"] -.->
            | may-restore | T1555003["Credentials from Web Browsers"] ;
          class RestoreDatabase DefensiveTechniqueNode;
          class In-memoryPasswordStore ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase";           RestoreDatabase["Restore Database"] -->
          | restores | PasswordStore["Password Store"];

          
          class RestoreDatabase DefensiveTechniqueNode;
          class PasswordStore ArtifactNode;
          click RestoreDatabase href "/technique/d3f:RestoreDatabase";                  FileAnalysis["File Analysis"] -->
          | analyzes | DatabaseFile["Database File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1555003["Credentials from Web Browsers"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";            RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | DatabaseFile["Database File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1555003["Credentials from Web Browsers"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class DatabaseFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json