Suspicious File Access to Browser Credential Storage

calendar May 26, 2025 · attack.credential-access attack.t1555.003 attack.discovery attack.t1217  ·
Share on: linkedin copy

Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.

Sigma rule (View on GitHub)

  1title: Suspicious File Access to Browser Credential Storage
  2id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
  3status: experimental
  4description: |
  5    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
  6    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
  7    This behavior is often commonly observed in credential stealing malware.    
  8references:
  9    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
 10    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
 11author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
 12date: 2025-05-22
 13tags:
 14    - attack.credential-access
 15    - attack.t1555.003
 16    - attack.discovery
 17    - attack.t1217
 18logsource:
 19    category: file_access
 20    product: windows
 21detection:
 22    selection_browser_paths:
 23        FileName|contains:
 24            - '\Sputnik\Sputnik'
 25            - '\MapleStudio\ChromePlus'
 26            - '\QIP Surf'
 27            - '\BlackHawk'
 28            - '\7Star\7Star'
 29            - '\CatalinaGroup\Citrio'
 30            - '\Google\Chrome'
 31            - '\Coowon\Coowon'
 32            - '\CocCoc\Browser'
 33            - '\uCozMedia\Uran'
 34            - '\Tencent\QQBrowser'
 35            - '\Orbitum'
 36            - '\Slimjet'
 37            - '\Iridium'
 38            - '\Vivaldi'
 39            - '\Chromium'
 40            - '\GhostBrowser'
 41            - '\CentBrowser'
 42            - '\Xvast'
 43            - '\Chedot'
 44            - '\SuperBird'
 45            - '\360Browser\Browser'
 46            - '\360Chrome\Chrome'
 47            - '\Comodo\Dragon'
 48            - '\BraveSoftware\Brave-Browser'
 49            - '\Torch'
 50            - '\UCBrowser\'
 51            - '\Blisk'
 52            - '\Epic Privacy Browser'
 53            - '\Nichrome'
 54            - '\Amigo'
 55            - '\Kometa'
 56            - '\Xpom'
 57            - '\Microsoft\Edge'
 58            - '\Liebao7Default\EncryptedStorage'
 59            - '\AVAST Software\Browser'
 60            - '\Kinza'
 61            - '\Mozilla\SeaMonkey\'
 62            - '\Comodo\IceDragon\'
 63            - '\8pecxstudios\Cyberfox\'
 64            - '\FlashPeak\SlimBrowser\'
 65            - '\Moonchild Productions\Pale Moon\'
 66    selection_browser_subpaths:
 67        FileName|contains:
 68            - '\Profiles\'
 69            - '\User Data'
 70    selection_cred_files:
 71        - FileName|contains:
 72              - '\Login Data'
 73              - '\Cookies'
 74              - '\EncryptedStorage'
 75              - '\WebCache\'
 76        - FileName|endswith:
 77              - 'cert9.db'
 78              - 'cookies.sqlite'
 79              - 'formhistory.sqlite'
 80              - 'key3.db'
 81              - 'key4.db'
 82              - 'Login Data.sqlite'
 83              - 'logins.json'
 84              - 'places.sqlite'
 85    filter_main_img:
 86        Image|endswith:
 87            - '\Sputnik.exe'
 88            - '\ChromePlus.exe'
 89            - '\QIP Surf.exe'
 90            - '\BlackHawk.exe'
 91            - '\7Star.exe'
 92            - '\Sleipnir5.exe'
 93            - '\Citrio.exe'
 94            - '\Chrome SxS.exe'
 95            - '\Chrome.exe'
 96            - '\Coowon.exe'
 97            - '\CocCocBrowser.exe'
 98            - '\Uran.exe'
 99            - '\QQBrowser.exe'
100            - '\Orbitum.exe'
101            - '\Slimjet.exe'
102            - '\Iridium.exe'
103            - '\Vivaldi.exe'
104            - '\Chromium.exe'
105            - '\GhostBrowser.exe'
106            - '\CentBrowser.exe'
107            - '\Xvast.exe'
108            - '\Chedot.exe'
109            - '\SuperBird.exe'
110            - '\360Browser.exe'
111            - '\360Chrome.exe'
112            - '\dragon.exe'
113            - '\brave.exe'
114            - '\torch.exe'
115            - '\UCBrowser.exe'
116            - '\BliskBrowser.exe'
117            - '\Epic Privacy Browser.exe'
118            - '\nichrome.exe'
119            - '\AmigoBrowser.exe'
120            - '\KometaBrowser.exe'
121            - '\XpomBrowser.exe'
122            - '\msedge.exe'
123            - '\LiebaoBrowser.exe'
124            - '\AvastBrowser.exe'
125            - '\Kinza.exe'
126            - '\seamonkey.exe'
127            - '\icedragon.exe'
128            - '\cyberfox.exe'
129            - '\SlimBrowser.exe'
130            - '\palemoon.exe'
131    filter_main_path:
132        Image|contains:
133            - '\Sputnik\'
134            - '\MapleStudio\'
135            - '\QIP Surf\'
136            - '\BlackHawk\'
137            - '\7Star\'
138            - '\Fenrir Inc\'
139            - '\CatalinaGroup\'
140            - '\Google\'
141            - '\Coowon\'
142            - '\CocCoc\'
143            - '\uCozMedia\'
144            - '\Tencent\'
145            - '\Orbitum\'
146            - '\Slimjet\'
147            - '\Iridium\'
148            - '\Vivaldi\'
149            - '\Chromium\'
150            - '\GhostBrowser\'
151            - '\CentBrowser\'
152            - '\Xvast\'
153            - '\Chedot\'
154            - '\SuperBird\'
155            - '\360Browser\'
156            - '\360Chrome\'
157            - '\Comodo\'
158            - '\BraveSoftware\'
159            - '\Torch\'
160            - '\UCBrowser\'
161            - '\Blisk\'
162            - '\Epic Privacy Browser\'
163            - '\Nichrome\'
164            - '\Amigo\'
165            - '\Kometa\'
166            - '\Xpom\'
167            - '\Microsoft\'
168            - '\Liebao7\'
169            - '\AVAST Software\'
170            - '\Kinza\'
171            - '\Mozilla\'
172            - '\8pecxstudios\'
173            - '\FlashPeak\'
174            - '\Moonchild Productions\'
175    filter_main_system:
176        Image: System
177        ParentImage: Idle
178    filter_main_generic:
179        Image|startswith:
180            - 'C:\Program Files\'
181            - 'C:\Program Files (x86)\'
182            - 'C:\Windows\System32\'
183            - 'C:\Windows\SysWOW64\'
184    filter_optional_defender:
185        Image|contains: '\Microsoft\Windows Defender\'
186        Image|endswith:
187            - '\MpCopyAccelerator.exe'
188            - '\MsMpEng.exe'
189    filter_optional_thor:
190        Image|endswith:
191            - '\thor.exe'
192            - '\thor64.exe'
193    filter_optional_msiexec:
194        ParentImage: 'C:\Windows\System32\msiexec.exe'
195    filter_optional_other:
196        Image|endswith: '\everything.exe'
197    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
198falsepositives:
199    - Antivirus, Anti-Spyware, Anti-Malware Software
200    - Legitimate software accessing browser data for synchronization or backup purposes.
201    - Legitimate software installed on partitions other than "C:\"
202level: low

References

Related rules

to-top