EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

File Access Of Signal Desktop Sensitive Data

Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.

MITRE ATT&CK

T1003
credential-access

Detection Query

selection:
  EventID: 4663
  ObjectType: File
  ObjectName|contains: \AppData\Roaming\Signal\
  ObjectName|endswith:
    - \config.json
    - \db.sqlite
filter_main_signal:
  ProcessName|endswith:
    - \signal-portable.exe
    - \signal.exe
condition: selection and not 1 of filter_main_*

Author

Andreas Braathen (mnemonic.io)

Created

2025-10-19

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.credential-accessattack.t1003
Raw Content
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
    Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
    Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
    - https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    product: windows
    service: security
    definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        ObjectName|contains: '\AppData\Roaming\Signal\'
        ObjectName|endswith:
            - '\config.json'
            - '\db.sqlite'
    filter_main_signal:
        ProcessName|endswith:
            - '\signal-portable.exe'
            - '\signal.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely, but possible from AV or backup software accessing the files.
level: medium