title: Credentials from Web Browsers (T1555.003)
id: df00tech-t1555-003
status: experimental
description: "Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords in encrypted format within credential stores. On Windows, encrypted credentials may be obtained from Chrome by reading the Login Data SQLite database and decrypting via CryptUnprotectData. Firefox stores credentials in key3.db/key4.db and logins.json. Edge and Internet Explorer credentials are managed by Windows Credential Manager. Adversaries may also search browser process memory for credential patterns using tools like mimikittenz."
references:
  - https://attack.mitre.org/techniques/T1555/003/
  - https://df00tech.com/detections/T1555.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Browser update processes that may access credential files during migration between versions
  - Antivirus/EDR agents scanning browser credential directories during scheduled scans
  - "Backup software (Acronis, Veeam, Windows Backup) that reads browser profile directories"
  - Browser extension installers and sync services that access profile data
level: high