T1555.003: T1555.003
Essential information
- MITRE technique ID
T1555.003- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Credentials from Web Browsers
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (63)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC1151 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BrazenBamboo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UTA0137 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToddyCat usesThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Malteiro usesThe MITRE Corporation Confidence 100
[Malteiro](https://attack.mitre.org/groups/G1026) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SnakeKeylogger usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GHOST STADIUM usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Agent Tesla usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Starry Addax usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (124)
-
PLEAD uses
-
Banker.FN usesFamily
-
Smoke Loader usesFamily The MITRE Corporation Confidence 100
[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware. [Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SwiftNav usesFamily
-
ChromePass usesFamily
-
PanthomVAI usesFamily
-
systemupdate.app usesFamily
-
Brute Ratel C4 usesFamily
-
Olymp Loader usesFamily
-
sfsvc.exe usesFamily
-
PupkinStealer usesFamily
-
RemusStealer usesFamily
Reports (50)
-
AlienVault Confidence 100 18 MITREs 10 Malwares 1 IOC
-
AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 7 IOCs
-
AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
-
AlienVault Confidence 100 20 MITREs 1 Malware 9 IOCs 9 Observables
-
AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
-
15 MITREs 1 Malware 4 Observables
-
AlienVault Confidence 100 3 CVEs 16 MITREs 2 Malwares 53 IOCs 53 Observables 1 APT
-
20 MITREs 4 Malwares 18 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Vulnerabilities (CVE) (32)
Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.
- Attack vector
- Network
- Published
- 13/02/2024
- Modified
- 27/05/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …
- Attack vector
- LOCAL
- Published
- 28/10/2025
- Modified
- 30/01/2026
Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted …
- Attack vector
- NETWORK
- Published
- 01/05/2024
- Modified
- 21/12/2025
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass …
- Attack vector
- Network
- Complexity
- LOW
- Published
- 13/08/2024
- Modified
- 06/06/2026
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without …
- Published
- 01/02/2026
- Modified
- 02/02/2026
Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has …
- Published
- 25/04/2022
- Modified
- 20/12/2025
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Course Of Action (3)
-
User Training mitigates
-
Restrict Web-Based Content mitigates
-
Password Policies mitigates
Tool (3)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Campaign (1)
-
SolarWinds Compromise uses