MITRE ATT&CK Technique
Credential Access T1503
Description

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. (Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2019-06-17T19:34:51.855Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may acquire credentials from web browsers by '
                'reading files specific to the target browser.  (Citation: '
                'Talos Olympic Destroyer 2018) \n'
                '\n'
                'Web browsers commonly save credentials such as website '
                'usernames and passwords so that they do not need to be '
                'entered manually in the future. Web browsers typically store '
                'the credentials in an encrypted format within a credential '
                'store; however, methods exist to extract plaintext '
                'credentials from web browsers.\n'
                '\n'
                'For example, on Windows systems, encrypted credentials may be '
                'obtained from Google Chrome by reading a database file, '
                '<code>AppData\\Local\\Google\\Chrome\\User '
                'Data\\Default\\Login Data</code> and executing a SQL query: '
                '<code>SELECT action_url, username_value, password_value FROM '
                'logins;</code>. The plaintext password can then be obtained '
                'by passing the encrypted credentials to the Windows API '
                'function <code>CryptUnprotectData</code>, which uses the '
                'victim’s cached logon credentials as the decryption key. '
                '(Citation: Microsoft CryptUnprotectData April 2018)\n'
                ' \n'
                'Adversaries have executed similar procedures for common web '
                'browsers such as FireFox, Safari, Edge, etc. (Citation: '
                'Proofpoint Vega Credential Stealer May 2018)(Citation: '
                'FireEye HawkEye Malware July 2017)\n'
                '\n'
                'Adversaries may also acquire credentials by searching web '
                'browser process memory for patterns that commonly match '
                'credentials.(Citation: GitHub Mimikittenz July 2016)\n'
                '\n'
                'After acquiring credentials from web browsers, adversaries '
                'may attempt to recycle the credentials across different '
                'systems and/or accounts in order to expand access. This can '
                "result in significantly furthering an adversary's objective "
                'in cases where credentials gained from web browsers overlap '
                'with privileged accounts (e.g. domain administrator).',
 'external_references': [{'external_id': 'T1503',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1503'},
                         {'description': 'Mercer, W. and Rascagneres, P. '
                                         '(2018, February 12). Olympic '
                                         'Destroyer Takes Aim At Winter '
                                         'Olympics. Retrieved March 14, 2019.',
                          'source_name': 'Talos Olympic Destroyer 2018',
                          'url': 'https://blog.talosintelligence.com/2018/02/olympic-destroyer.html'},
                         {'description': 'Microsoft. (2018, April 12). '
                                         'CryptUnprotectData function. '
                                         'Retrieved June 18, 2019.',
                          'source_name': 'Microsoft CryptUnprotectData April '
                                         '2018',
                          'url': 'https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata'},
                         {'description': 'Proofpoint. (2018, May 10). New Vega '
                                         'Stealer shines brightly in targeted '
                                         'campaign . Retrieved June 18, 2019.',
                          'source_name': 'Proofpoint Vega Credential Stealer '
                                         'May 2018',
                          'url': 'https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign'},
                         {'description': 'Swapnil Patil, Yogesh Londhe. (2017, '
                                         'July 25). HawkEye Credential Theft '
                                         'Malware Distributed in Recent '
                                         'Phishing Campaign. Retrieved June '
                                         '18, 2019.',
                          'source_name': 'FireEye HawkEye Malware July 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html'},
                         {'description': "Jamieson O'Reilly (putterpanda). "
                                         '(2016, July 4). mimikittenz. '
                                         'Retrieved June 20, 2019.',
                          'source_name': 'GitHub Mimikittenz July 2016',
                          'url': 'https://github.com/putterpanda/mimikittenz'}],
 'id': 'attack-pattern--4579d9c9-d5b9-45e0-9848-0104637b579f',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'credential-access'}],
 'modified': '2025-10-24T17:48:43.314Z',
 'name': 'Credentials from Web Browsers',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Ryan Benson, Exabeam',
                          'Barry Shteiman, Exabeam',
                          'Sylvain Gil, Exabeam',
                          'RedHuntLabs, @redhuntlabs'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About