EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Windows Credential Access From Browser Password Store

The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.

MITRE ATT&CK

T1012

Detection Query

`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path)  values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?<extracted_process_name>[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`

Author

Teoderick Contreras, Bhavin Patel Splunk

Created

2026-03-10

Data Sources

Windows Event Log Security 4663

References

Tags

StealC StealerSalt TyphoonEarth AluxQuasar RATPXA StealerSnappyBeeMalicious Inno Setup LoaderBraodo StealerMoonPeakSnake KeyloggerChina-Nexus Threat ActivityMeduza StealerScattered Spider0bj3ctivity StealerScattered Lapsus$ HuntersBlankGrabber Stealer
Raw Content
name: Windows Credential Access From Browser Password Store
id: 72013a8e-5cea-408a-9d51-5585386b4d69
version: 18
date: '2026-03-10'
author: Teoderick Contreras, Bhavin Patel Splunk
data_source:
    - Windows Event Log Security 4663
type: Anomaly
status: production
description: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
search: '`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path)  values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?<extracted_process_name>[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`'
how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file.
known_false_positives: The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.
references:
    - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
    - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A non-common browser process $process_name$ accessing browser user data folder on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - StealC Stealer
        - Salt Typhoon
        - Earth Alux
        - Quasar RAT
        - PXA Stealer
        - SnappyBee
        - Malicious Inno Setup Loader
        - Braodo Stealer
        - MoonPeak
        - Snake Keylogger
        - China-Nexus Threat Activity
        - Meduza Stealer
        - Scattered Spider
        - 0bj3ctivity Stealer
        - Scattered Lapsus$ Hunters
        - BlankGrabber Stealer
    asset_type: Endpoint
    mitre_attack_id:
        - T1012
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog