Access To Browser Credential Files By Uncommon Application

calendar Sep 15, 2023 · attack.t1003 attack.credential_access  ·
Share on: linkedin copy

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Sigma rule (View on GitHub)

 1title: Access To Browser Credential Files By Uncommon Application
 2id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
 3status: experimental
 4description: |
 5    Detects file access requests to browser credential stores by uncommon processes.
 6    Could indicate potential attempt of credential stealing.
 7    Requires heavy baselining before usage    
 8references:
 9    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
10    - https://github.com/lclevy/firepwd
11author: frack113
12date: 2022/04/09
13modified: 2023/09/15
14tags:
15    - attack.t1003
16    - attack.credential_access
17logsource:
18    category: file_access
19    product: windows
20    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
21detection:
22    selection_ie:
23        FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
24    selection_firefox:
25        FileName|endswith:
26            - '\cookies.sqlite'
27            - 'release\key3.db'  # Firefox
28            - 'release\key4.db'  # Firefox
29            - 'release\logins.json' # Firefox
30    selection_chromium:
31        FileName|contains:
32            - '\Appdata\Local\Chrome\User Data\Default\Login Data'
33            - '\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies'
34            - '\AppData\Local\Google\Chrome\User Data\Local State'
35    filter_main_system:
36        Image: System
37        ParentImage: Idle
38    filter_main_generic:
39        # This filter is added to avoid large ammount of FP with 3rd party software. You could remove this in favour of specific filter per-application
40        Image|startswith:
41            - 'C:\Program Files\'
42            - 'C:\Program Files (x86)\'
43            - 'C:\WINDOWS\system32\'
44            - 'C:\WINDOWS\SysWOW64\'
45    filter_optional_defender:
46        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
47        Image|endswith:
48            - '\MpCopyAccelerator.exe'
49            - '\MsMpEng.exe'
50    filter_optional_thor:
51        Image|endswith:
52            - '\thor64.exe'
53            - '\thor.exe'
54    filter_optional_msiexec:
55        ParentImage: 'C:\Windows\System32\msiexec.exe'
56    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58    - Antivirus, Anti-Spyware, Anti-Malware Software
59    - Backup software
60    - Legitimate software installed on partitions other than "C:\"
61    - Searching software such as "everything.exe"
62level: low

References

Related rules

to-top