Access to Browser Login Data

 1title: Access to Browser Login Data
 2id: fc028194-969d-4122-8abe-0470d5b8f12f
 3related:
 4    - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
 5      type: obsoletes
 6    - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
 7      type: similar
 8status: test
 9description: |
10    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
11    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
12    Web browsers typically store the credentials in an encrypted format within a credential store.    
13references:
14    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
15author: frack113
16date: 2022/01/30
17tags:
18    - attack.credential_access
19    - attack.t1555.003
20logsource:
21    product: windows
22    category: ps_script
23    definition: 'Requirements: Script Block Logging must be enabled'
24detection:
25    selection_cmd:
26        ScriptBlockText|contains|all:
27            - Copy-Item
28            - '-Destination'
29    selection_path:
30        ScriptBlockText|contains:
31            - '\Opera Software\Opera Stable\Login Data'
32            - '\Mozilla\Firefox\Profiles'
33            - '\Microsoft\Edge\User Data\Default'
34            - '\Google\Chrome\User Data\Default\Login Data'
35            - '\Google\Chrome\User Data\Default\Login Data For Account'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: medium