Home >
Enterprise >
Participants >
Symantec >
Unsecured Credentials (T1552)
|
|
Carbanak+FIN7 |
||
The technique was not in scope. |
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
6.A.1
|
Tactic Credential Access (TA0006) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||
6.B.1
|
|
Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Procedure
Exported a local certificate to a PFX file using PowerShell
Criteria
powershell.exe creating a certificate file exported from the system
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).

