Access To Browser Credential Files By Uncommon Application

calendar Dec 21, 2023 · attack.t1003 attack.credential_access  ·
Share on: linkedin copy

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Sigma rule (View on GitHub)

 1title: Access To Browser Credential Files By Uncommon Application
 2id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
 3status: experimental
 4description: |
 5    Detects file access requests to browser credential stores by uncommon processes.
 6    Could indicate potential attempt of credential stealing.
 7    Requires heavy baselining before usage    
 8references:
 9    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
10    - https://github.com/lclevy/firepwd
11author: frack113
12date: 2022/04/09
13modified: 2023/12/18
14tags:
15    - attack.t1003
16    - attack.credential_access
17logsource:
18    category: file_access
19    product: windows
20    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
21detection:
22    selection_ie:
23        FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
24    selection_firefox:
25        FileName|endswith:
26            - '\cookies.sqlite'
27            - 'release\key3.db'  # Firefox
28            - 'release\key4.db'  # Firefox
29            - 'release\logins.json' # Firefox
30    selection_chromium:
31        FileName|contains:
32            - '\Appdata\Local\Chrome\User Data\Default\Login Data'
33            - '\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies'
34            - '\AppData\Local\Google\Chrome\User Data\Local State'
35    filter_main_system:
36        Image: System
37    filter_main_generic:
38        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
39        Image|contains:
40            - ':\Program Files\'
41            - ':\Program Files (x86)\'
42            - ':\WINDOWS\system32\'
43            - ':\WINDOWS\SysWOW64\'
44    filter_optional_defender:
45        Image|contains: ':\ProgramData\Microsoft\Windows Defender\'
46        Image|endswith:
47            - '\MpCopyAccelerator.exe'
48            - '\MsMpEng.exe'
49    filter_optional_thor:
50        Image|endswith:
51            - '\thor64.exe'
52            - '\thor.exe'
53    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
54falsepositives:
55    - Antivirus, Anti-Spyware, Anti-Malware Software
56    - Backup software
57    - Legitimate software installed on partitions other than "C:\"
58    - Searching software such as "everything.exe"
59level: medium

References

Related rules

to-top