Suspicious Access To Browser Credential Files

calendarApr 3, 2023 · attack.t1003 attack.credential_access  ·
Share on: linkedincopy

Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing

Sigma rule (View on GitHub)

 1title: Suspicious Access To Browser Credential Files
 2id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
 3status: experimental
 4description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing
 5references:
 6    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
 7    - https://github.com/lclevy/firepwd
 8author: frack113
 9date: 2022/04/09
10modified: 2023/03/28
11tags:
12    - attack.t1003
13    - attack.credential_access
14logsource:
15    category: file_access
16    product: windows
17    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
18detection:
19    selection_ie:
20        FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
21    selection_firefox:
22        FileName|endswith:
23            - '\cookies.sqlite'
24            - 'release\key3.db'  # Firefox
25            - 'release\key4.db'  # Firefox
26            - 'release\logins.json' # Firefox
27    selection_chromium:
28        FileName|contains:
29            - '\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies'
30            - '\Appdata\Local\Chrome\User Data\Default\Login Data'
31            - '\AppData\Local\Google\Chrome\User Data\Local State'
32    filter_main_system:
33        Image: System
34        ParentImage: Idle
35    filter_main_generic:
36        # This filter is added to avoid large ammount of FP with 3rd party software. You could remove this in favour of specific filter per-application
37        Image|startswith:
38            - 'C:\Program Files\'
39            - 'C:\Program Files (x86)\'
40            - 'C:\WINDOWS\system32\'
41            - 'C:\WINDOWS\SysWOW64\'
42    filter_optional_defender:
43        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
44        Image|endswith:
45            - '\MpCopyAccelerator.exe'
46            - '\MsMpEng.exe'
47    filter_optional_thor:
48        Image|endswith:
49            - '\thor64.exe'
50            - '\thor.exe'
51    filter_optional_msiexec:
52        ParentImage: 'C:\Windows\System32\msiexec.exe'
53    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
54falsepositives:
55    - Antivirus, Anti-Spyware, Anti-Malware Software
56    - Backup software
57    - Legitimate software installed on partitions other than "C:\"
58    - Searching software such as "everything.exe"
59level: medium

Related rules

to-top