<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1503

          術語表: /attack/glossary

          Web瀏覽器憑證

          攻擊者可以通過讀取特定于目標瀏覽器的文件來從Web瀏覽器獲取憑據。

          Web瀏覽器通常會保存憑據,例如網站用戶名和密碼,以便將來無需手動輸入它們。Web瀏覽器通常將憑據以加密格式存儲在憑據存儲區中。但是,存在從Web瀏覽器中提取純文本憑據的方法。

          例如,在Windows系統上,可以通過讀取數據庫文件AppData\Local\Google\Chrome\User Data\Default\Login Data并執行SQL查詢來從Google Chrome獲得加密的憑據SELECT action_url, username_value, password_value FROM logins;。然后,可以通過將加密的憑據傳遞給Windows API函數來獲取純文本密碼CryptUnprotectData,該函數使用受害者的緩存登錄憑據作為解密密鑰。

          攻擊者對常見的Web瀏覽器(例如FireFox,Safari,Edge等)執行了類似的程序。

          攻擊者還可以通過在Web瀏覽器進程內存中搜索通常與憑據匹配的模式來獲取憑據。

          從網絡瀏覽器獲取憑據后,攻擊者可能會嘗試在不同系統和/或帳戶之間回收憑據,以擴大訪問范圍。在從Web瀏覽器獲得的憑據與特權帳戶(例如域管理員)重疊的情況下,這可以大大提高對手的目標。

          Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

          Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

          For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.

          Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.

          Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.

          After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

          標簽

          ID編號: T1503

          策略: 憑證訪問

          平臺: Linux,macOS,Windows

          所需權限: user

          數據源: 進程監視,PowerShell日志,文件監視,API監視

          緩解措施

          緩解 描述
          密碼策略(M1027) 組織可以考慮權衡將憑據存儲在Web瀏覽器中的風險。如果Web瀏覽器憑據公開非常重要,則可以使用技術控制,策略和用戶培訓來防止憑據存儲在Web瀏覽器中。
          Mitigation Description
          Password Policies(M1027) Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

          檢測

          確定包含憑據的網絡瀏覽器文件,例如Google Chrome的Login Data數據庫文件:AppData\Local\Google\Chrome\User Data\Default\Login Data。監視包含憑據的Web瀏覽器文件的文件讀取事件,尤其是在讀取過程與主題Web瀏覽器無關時。監視進程執行日志以包括PowerShell Transcription,重點關注那些執行多種行為的行為,包括讀取Web瀏覽器進程內存,利用正則表達式,以及包含許多常見Web應用程序(Gmail,Twitter,Office365等)關鍵字的行為。

          Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看