← Back to Explore
sigmalowHunting
Access To Browser Credential Files By Uncommon Applications - Security
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
Detection Query
selection_eid:
EventID: 4663
ObjectType: File
AccessMask: "0x1"
selection_browser_chromium:
ObjectName|contains:
- \User Data\Default\Login Data
- \User Data\Local State
- \User Data\Default\Network\Cookies
selection_browser_firefox:
FileName|endswith:
- \cookies.sqlite
- \places.sqlite
- release\key3.db
- release\key4.db
- release\logins.json
filter_main_system:
ProcessName: System
filter_main_generic:
ProcessName|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\system32\
- C:\Windows\SysWOW64\
filter_optional_defender:
ProcessName|startswith: C:\ProgramData\Microsoft\Windows Defender\
ProcessName|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_*
and not 1 of filter_optional_*
Author
Daniel Koifman (@Koifsec), Nasreddine Bencherchali
Created
2024-10-21
Data Sources
windowssecurity
Platforms
windows
Tags
attack.credential-accessattack.t1555.003detection.threat-hunting
Raw Content
title: Access To Browser Credential Files By Uncommon Applications - Security
id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
related:
- id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
type: similar
status: test
description: |
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
references:
- https://ipurple.team/2024/09/10/browser-stored-credentials/
author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali
date: 2024-10-21
tags:
- attack.credential-access
- attack.t1555.003
- detection.threat-hunting
logsource:
product: windows
service: security
definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.'
detection:
selection_eid:
EventID: 4663
ObjectType: 'File'
# Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.
AccessMask: '0x1'
selection_browser_chromium:
ObjectName|contains:
- '\User Data\Default\Login Data'
- '\User Data\Local State'
- '\User Data\Default\Network\Cookies'
selection_browser_firefox:
FileName|endswith:
- '\cookies.sqlite'
- '\places.sqlite'
- 'release\key3.db' # Firefox
- 'release\key4.db' # Firefox
- 'release\logins.json' # Firefox
filter_main_system:
ProcessName: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
ProcessName|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
ProcessName|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
ProcessName|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low