← Back to Explore
sigmamediumHunting
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Detection Query
selection_cmd:
- CommandLine|contains:
- copy-item
- "copy "
- "cpi "
- " cp "
- "move "
- move-item
- " mi "
- " mv "
- Image|endswith:
- \esentutl.exe
- \xcopy.exe
- \robocopy.exe
- OriginalFileName:
- esentutl.exe
- XCOPY.EXE
- robocopy.exe
selection_path:
CommandLine|contains:
- \Amigo\User Data
- \BraveSoftware\Brave-Browser\User Data
- \CentBrowser\User Data
- \Chromium\User Data
- \CocCoc\Browser\User Data
- \Comodo\Dragon\User Data
- \Elements Browser\User Data
- \Epic Privacy Browser\User Data
- \Google\Chrome Beta\User Data
- \Google\Chrome SxS\User Data
- \Google\Chrome\User Data\
- \Kometa\User Data
- \Maxthon5\Users
- \Microsoft\Edge\User Data
- \Mozilla\Firefox\Profiles
- \Nichrome\User Data
- \Opera Software\Opera GX Stable\
- \Opera Software\Opera Neon\User Data
- \Opera Software\Opera Stable\
- \Orbitum\User Data
- \QIP Surf\User Data
- \Sputnik\User Data
- \Torch\User Data
- \uCozMedia\Uran\User Data
- \Vivaldi\User Data
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-12-23
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1555.003
Raw Content
title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
- id: fc028194-969d-4122-8abe-0470d5b8f12f
type: derived
status: test
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
- https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
- attack.credential-access
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- 'move-item'
- ' mi '
- ' mv '
- Image|endswith:
- '\esentutl.exe' # akira ransomware
- '\xcopy.exe'
- '\robocopy.exe'
- OriginalFileName:
- 'esentutl.exe'
- 'XCOPY.EXE'
- 'robocopy.exe'
selection_path:
CommandLine|contains:
- '\Amigo\User Data'
- '\BraveSoftware\Brave-Browser\User Data'
- '\CentBrowser\User Data'
- '\Chromium\User Data'
- '\CocCoc\Browser\User Data'
- '\Comodo\Dragon\User Data'
- '\Elements Browser\User Data'
- '\Epic Privacy Browser\User Data'
- '\Google\Chrome Beta\User Data'
- '\Google\Chrome SxS\User Data'
- '\Google\Chrome\User Data\'
- '\Kometa\User Data'
- '\Maxthon5\Users'
- '\Microsoft\Edge\User Data'
- '\Mozilla\Firefox\Profiles'
- '\Nichrome\User Data'
- '\Opera Software\Opera GX Stable\'
- '\Opera Software\Opera Neon\User Data'
- '\Opera Software\Opera Stable\'
- '\Orbitum\User Data'
- '\QIP Surf\User Data'
- '\Sputnik\User Data'
- '\Torch\User Data'
- '\uCozMedia\Uran\User Data'
- '\Vivaldi\User Data'
condition: all of selection_*
falsepositives:
- Unknown
level: medium