EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Access To Browser Credential Files By Uncommon Applications

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

MITRE ATT&CK

T1003
credential-access

Detection Query

selection_ie:
  FileName|endswith: \Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
selection_firefox:
  FileName|endswith:
    - \cookies.sqlite
    - \places.sqlite
    - release\key3.db
    - release\key4.db
    - release\logins.json
selection_chromium:
  FileName|contains:
    - \User Data\Default\Login Data
    - \User Data\Local State
filter_main_system:
  Image: System
filter_main_generic:
  Image|startswith:
    - C:\Program Files (x86)\
    - C:\Program Files\
    - C:\Windows\system32\
    - C:\Windows\SysWOW64\
filter_optional_defender:
  Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
    - \MpCopyAccelerator.exe
    - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
    - \thor.exe
    - \thor64.exe
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

Author

frack113, X__Junior (Nextron Systems)

Created

2022-04-09

Data Sources

windowsfile_access

Platforms

windows

References

Tags

attack.t1003attack.credential-accessdetection.threat-hunting
Raw Content
title: Access To Browser Credential Files By Uncommon Applications
id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
related:
    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
      type: similar
status: test
description: |
    Detects file access requests to browser credential stores by uncommon processes.
    Could indicate potential attempt of credential stealing.
    Requires heavy baselining before usage
references:
    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
    - https://github.com/lclevy/firepwd
author: frack113, X__Junior (Nextron Systems)
date: 2022-04-09
modified: 2024-07-29
tags:
    - attack.t1003
    - attack.credential-access
    - detection.threat-hunting
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection_ie:
        FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
    selection_firefox:
        FileName|endswith:
            - '\cookies.sqlite'
            - '\places.sqlite'
            - 'release\key3.db'  # Firefox
            - 'release\key4.db'  # Firefox
            - 'release\logins.json' # Firefox
    selection_chromium:
        FileName|contains:
            - '\User Data\Default\Login Data'
            - '\User Data\Local State'
    filter_main_system:
        Image: System
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Backup software
    - Legitimate software installed on partitions other than "C:\"
    - Searching software such as "everything.exe"
level: low