Access To Browser Credential Files By Uncommon Application
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Sigma rule (View on GitHub)
1title: Access To Browser Credential Files By Uncommon Application
2id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
3status: experimental
4description: |
5 Detects file access requests to browser credential stores by uncommon processes.
6 Could indicate potential attempt of credential stealing.
7 Requires heavy baselining before usage
8references:
9 - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
10 - https://github.com/lclevy/firepwd
11author: frack113
12date: 2022/04/09
13modified: 2023/12/18
14tags:
15 - attack.t1003
16 - attack.credential_access
17logsource:
18 category: file_access
19 product: windows
20 definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
21detection:
22 selection_ie:
23 FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
24 selection_firefox:
25 FileName|endswith:
26 - '\cookies.sqlite'
27 - 'release\key3.db' # Firefox
28 - 'release\key4.db' # Firefox
29 - 'release\logins.json' # Firefox
30 selection_chromium:
31 FileName|contains:
32 - '\Appdata\Local\Chrome\User Data\Default\Login Data'
33 - '\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies'
34 - '\AppData\Local\Google\Chrome\User Data\Local State'
35 filter_main_system:
36 Image: System
37 filter_main_generic:
38 # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
39 Image|contains:
40 - ':\Program Files\'
41 - ':\Program Files (x86)\'
42 - ':\WINDOWS\system32\'
43 - ':\WINDOWS\SysWOW64\'
44 filter_optional_defender:
45 Image|contains: ':\ProgramData\Microsoft\Windows Defender\'
46 Image|endswith:
47 - '\MpCopyAccelerator.exe'
48 - '\MsMpEng.exe'
49 filter_optional_thor:
50 Image|endswith:
51 - '\thor64.exe'
52 - '\thor.exe'
53 condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
54falsepositives:
55 - Antivirus, Anti-Spyware, Anti-Malware Software
56 - Backup software
57 - Legitimate software installed on partitions other than "C:\"
58 - Searching software such as "everything.exe"
59level: medium
References
Related rules
- Credential Manager Access By Uncommon Application
- Suspicious SYSTEM User Process Creation
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Remote Credential Dumping Activity
- Antivirus Password Dumper Detection