T1555.003: T1555.003
Essential information
- MITRE technique ID
T1555.003- Confidence
- 100/100
- Revoked
- No
- Published
- 12/02/2020 19:57
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Credentials from Web Browsers
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (58)
-
Sordeal Group usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Librarian Ghouls usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VasyGrek usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MioLab usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lazy Koala usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RedCurl usesThe MITRE Corporation Confidence 100
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (72)
-
EKANS - S0605 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RPipeCommander usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BeaverTail usesThe MITRE Corporation Confidence 100
[BeaverTail](https://attack.mitre.org/software/S1246) is a malware that has both a JavaScript and C++ variant. Active since 2022, [BeaverTail](https://attack.mitre.org/software/S1246) is capable of stealing logins from browsers and serves as a downloader…
First seen 01/01/1970 · Last seen 16/11/5138 · -
StartBat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TONESHELL usesThe MITRE Corporation Confidence 100
[TONESHELL](https://attack.mitre.org/software/S1239) is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [TONESHELL](https://attack.mitre.org/software/S1239) malware has previously been leveraged…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AMOS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
softwareupdate.app usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Stealerium usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
360.dll usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Millenium RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ACRStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 19 MITREs 2 Malwares 13 IOCs 7 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 17 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 5 Malwares 27 IOCs 27 Observables
-
AlienVault Confidence 100 1 CVE 19 MITREs 2 Malwares 4 IOCs 2 Observables
-
AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 140 IOCs 127 Observables
-
AlienVault Confidence 100 21 MITREs 5 Malwares 60 IOCs 21 Observables 1 APT
-
AlienVault Confidence 100 24 MITREs 4 Malwares 9 IOCs 9 Observables
-
AlienVault Confidence 100 25 MITREs 6 Malwares 39 IOCs 24 Observables
-
AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
-
AlienVault Confidence 100 18 MITREs 10 Malwares 1 IOC
-
AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
Vulnerabilities (CVE) (34)
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization …
- Attack vector
- NETWORK
- Published
- 24/07/2024
- Modified
- 21/12/2025
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
- Published
- 15/02/2022
- Modified
- 02/06/2026
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …
- Attack vector
- LOCAL
- Published
- 08/01/2024
- Modified
- 16/06/2026
Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web …
- Attack vector
- Network
- Published
- 16/09/2024
- Modified
- 21/12/2025
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before …
- Attack vector
- Network
- Published
- 03/10/2024
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Course Of Action (2)
-
User Training mitigates
-
Restrict Web-Based Content mitigates
Tool (2)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
Campaign (1)
-
SolarWinds Compromise uses