Home >
Enterprise >
Participants >
FireEye >
Unsecured Credentials (T1552)
|
|
Carbanak+FIN7 |
||
The technique was not in scope. |
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
6.A.1
|
Tactic Credential Access (TA0006) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||||||
6.B.1
|
|
Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Procedure
Exported a local certificate to a PFX file using PowerShell
Criteria
powershell.exe creating a certificate file exported from the system
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||
Step | ATT&CK Pattern |
|
||
15.B.1
|
Tactic Credential Access (TA0006) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|