File Access Of Signal Desktop Sensitive Data

 1title: File Access Of Signal Desktop Sensitive Data
 2id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
 3status: experimental
 4description: |
 5    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
 6    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
 7    Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
 8    Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.    
 9references:
10    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
11    - https://vmois.dev/query-signal-desktop-messages-sqlite/
12author: Andreas Braathen (mnemonic.io)
13date: 2025-10-19
14tags:
15    - attack.credential-access
16    - attack.t1003
17logsource:
18    product: windows
19    service: security
20    definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
21detection:
22    selection:
23        EventID: 4663
24        ObjectType: 'File'
25        ObjectName|contains: '\AppData\Roaming\Signal\'
26        ObjectName|endswith:
27            - '\config.json'
28            - '\db.sqlite'
29    filter_main_signal:
30        ProcessName|endswith:
31            - '\signal-portable.exe'
32            - '\signal.exe'
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Unlikely, but possible from AV or backup software accessing the files.
36level: medium