EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Access To Chromium Browsers Sensitive Files By Uncommon Applications

Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.

MITRE ATT&CK

T1003
credential-access

Detection Query

selection:
  FileName|contains:
    - \User Data\Default\Cookies
    - \User Data\Default\History
    - \User Data\Default\Network\Cookies
    - \User Data\Default\Web Data
filter_main_system:
  Image: System
filter_main_generic:
  Image|startswith:
    - C:\Program Files (x86)\
    - C:\Program Files\
    - C:\Windows\system32\
    - C:\Windows\SysWOW64\
filter_optional_defender:
  Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
    - \MpCopyAccelerator.exe
    - \MsMpEng.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

X__Junior (Nextron Systems)

Created

2024-07-29

Data Sources

windowsfile_access

Platforms

windows

References

Tags

attack.t1003attack.credential-accessdetection.threat-hunting
Raw Content
title: Access To Chromium Browsers Sensitive Files By Uncommon Applications
id: c5f37810-a85f-4186-81e9-33f23abb4141
status: test
description: |
    Detects file access requests to chromium based browser sensitive files by uncommon processes.
    Could indicate potential attempt of stealing sensitive information.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
    - attack.t1003
    - attack.credential-access
    - detection.threat-hunting
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\User Data\Default\Cookies'
            - '\User Data\Default\History'
            - '\User Data\Default\Network\Cookies'
            - '\User Data\Default\Web Data'
    filter_main_system:
        Image: System
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Backup software
    - Legitimate software installed on partitions other than "C:\"
    - Searching software such as "everything.exe"
level: low