PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
Sigma rule (View on GitHub)
1title: PUA - WebBrowserPassView Execution
2id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
3status: test
4description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
7author: frack113
8date: 2022-08-20
9modified: 2023-02-14
10tags:
11 - attack.credential-access
12 - attack.t1555.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Description: 'Web Browser Password Viewer'
19 - Image|endswith: '\WebBrowserPassView.exe'
20 condition: selection
21falsepositives:
22 - Legitimate use
23level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Access to Browser Login Data
- Potential Browser Data Stealing
- SQLite Chromium Profile Data DB Access
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript