Threat Research

Credential Gathering From Third-Party Software

Securonix

The article examines how third-party software can store credentials insecurely and how attackers can retrieve them to broaden access, with concrete examples across WinSCP, Git, RDCMan, OpenVPN, and various browsers. It also discusses protections in Cortex XDR and related workflows that detect or block these credential-gathering attempts. #WinSCP #OpenVPN

Keypoints

  • Third-party software often stores user credentials locally, creating a potential foothold for attackers across multiple programs and platforms.
  • WinSCP saves passwords in the Windows registry, where the Password value can be decrypted by end-to-end operations described in the article.
  • Git can store credentials on disk in plain text if users enable credential.store, including potential PATs, making them visible in files like .git-credentials and .config/git-credentials.
  • RDCMan and OpenVPN rely on DPAPI for password protection; attackers can decrypt these passwords by operating in the user context and invoking CryptUnprotectData.
  • Chromium-based browsers (Chrome, Edge, Opera) keep passwords encrypted in login data, with the encryption key retrieved from local state and decrypted in context.
  • Firefox stores credentials using NSS (PKCS#11) and requires access to logins.json plus key3.db/key4.db to decrypt saved usernames and passwords.
  • Malware like Emotet can wrap existing tools (e.g., WebBrowserPassView) to reveal passwords stored by browsers, illustrating how attackers leverage bundled utilities.

MITRE Techniques

  • [T1552.001] Credentials in Registry – WinSCP stores the encrypted user’s password under the registry key HKCUSoftwareMartin PrikrylWinSCP 2SessionsPassword. “WinSCP stores the encrypted user’s password under the registry key HKCUsoftwaremartin prikrylwinscp 2sessions<session_name>Password.”
  • [T1003.001] OS Credential Dumping – DPAPI: RDCMan uses the DATA Protection API to encrypt the password and CryptUnprotectData to decrypt it; “the password is being saved using the DATA Protection API (DPAPI), which enables symmetric encryption and decryption of any kind of data using the functions CryptProtectData and CryptUnprotectData.”
  • [T1003.001] OS Credential Dumping – DPAPI: OpenVPN similarly uses DPAPI with entropy; “OpenVPN also uses the DPAPI mechanism, with the additional optional entropy parameter (which can be set to NULL).”
  • [T1552.002] Credentials in Files – Git credentials saved in plain text in files like /.git-credentials and /.config/git-credentials; “git config credential.helper ‘store’” stores credentials indefinitely on disk, in plain text. “These tokens also appear in cleartext in the same files.”
  • [T1555.003] Credentials from Web Browsers – Chromium-based passwords stored in login data (SQLite); “passwords are located encrypted in an SQLite database file, usually called login data.”
  • [T1555.003] Credentials from Web Browsers – Firefox NSS-based decryption; “encrypted using the PKCS #11 cryptography standard” and the NSS library (nss3.dll);”
  • [T1555.003] Credentials from Web Browsers – Emotet uses WebBrowserPassView to reveal browser passwords; “WebBrowserPassView.exe shows usernames, passwords and the file path that stores each of them.”

Indicators of Compromise

  • [Registry Keys] unauthorized access to credential stores – WinSCP and OpenVPN credentials in registry keys (example: HKCUSoftwareMartin PrikrylWinSCP 2SessionsPassword; HKCUSoftwareOpenVPN-GUIConfigauth-data and entropy)
  • [Files] unauthorized access to credential stores – Git credentials files, RDCMan.settings, and browser credential stores (examples: /.git-credentials, /.config/git-credentials, %LOCALAPPDATA%MicrosoftRemote Desktop Connection ManagerRDCMan.settings, %LOCALAPPDATA%GoogleChromeUser DataLogin Data, and related local_state files)
  • [Files] browser credential stores – Chromium login data, local_state; Firefox logins.json and key3.db/key4.db
  • [Hashes] malicious file hashes associated with credential-gathering artifacts – 6599FEE8C7ADF30A00889A7070600F472F8CEAD8EA4DD1A85E724ED15F2AED0F, A88C344F3F80F8A3EA2E9BA0687FEBCEE2A730FD9AC037D54C4FD21C0AB91039, A1D513E4A5C83895E5769C994C4D319959EF5AE3F679CE6C0C5211B5BECA7695, 1B8638333751EFCB6B5332C801C11DF0DE3D7077C6ACEA1D663C0302519D7172

Read more: https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint