ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1503

术语表: /attack/glossary

Web浏览器凭证

攻击者可以通过读取特定于目标浏览器的文件来从Web浏览器获取凭据。

Web浏览器通常会保存凭据,例如网站用户名和密码,以便将来无需手动输入它们。Web浏览器通常将凭据以加密格式存储在凭据存储区中。但是,存在从Web浏览器中提取纯文本凭据的方法。

例如,在Windows系统上,可以通过读取数据库文件AppData\Local\Google\Chrome\User Data\Default\Login Data并执行SQL查询来从Google Chrome获得加密的凭据SELECT action_url, username_value, password_value FROM logins;。然后,可以通过将加密的凭据传递给Windows API函数来获取纯文本密码CryptUnprotectData,该函数使用受害者的缓存登录凭据作为解密密钥。

攻击者对常见的Web浏览器(例如FireFox,Safari,Edge等)执行了类似的程序。

攻击者还可以通过在Web浏览器进程内存中搜索通常与凭据匹配的模式来获取凭据。

从网络浏览器获取凭据后,攻击者可能会尝试在不同系统和/或帐户之间回收凭据,以扩大访问范围。在从Web浏览器获得的凭据与特权帐户(例如域管理员)重叠的情况下,这可以大大提高对手的目标。

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

标签

ID编号: T1503

策略: 凭证访问

平台: Linux,macOS,Windows

所需权限: user

数据源: 进程监视,PowerShell日志,文件监视,API监视

缓解措施

缓解 描述
密码策略(M1027) 组织可以考虑权衡将凭据存储在Web浏览器中的风险。如果Web浏览器凭据公开非常重要,则可以使用技术控制,策略和用户培训来防止凭据存储在Web浏览器中。
Mitigation Description
Password Policies(M1027) Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

检测

确定包含凭据的网络浏览器文件,例如Google Chrome的Login Data数据库文件:AppData\Local\Google\Chrome\User Data\Default\Login Data。监视包含凭据的Web浏览器文件的文件读取事件,尤其是在读取过程与主题Web浏览器无关时。监视进程执行日志以包括PowerShell Transcription,重点关注那些执行多种行为的行为,包括读取Web浏览器进程内存,利用正则表达式,以及包含许多常见Web应用程序(Gmail,Twitter,Office365等)关键字的行为。

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).