SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
Sigma rule (View on GitHub)
1title: SQLite Chromium Profile Data DB Access
2id: 24c77512-782b-448a-8950-eddb0785fc71
3status: test
4description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
7 - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
8author: TropChaud
9date: 2022-12-19
10modified: 2023-01-19
11tags:
12 - attack.credential-access
13 - attack.t1539
14 - attack.t1555.003
15 - attack.collection
16 - attack.t1005
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_sql:
22 - Product: SQLite
23 - Image|endswith:
24 - '\sqlite.exe'
25 - '\sqlite3.exe'
26 selection_chromium:
27 CommandLine|contains:
28 - '\User Data\' # Most common folder for user profile data among Chromium browsers
29 - '\Opera Software\' # Opera
30 - '\ChromiumViewer\' # Sleipnir (Fenrir)
31 selection_data:
32 CommandLine|contains:
33 - 'Login Data' # Passwords
34 - 'Cookies'
35 - 'Web Data' # Credit cards, autofill data
36 - 'History'
37 - 'Bookmarks'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
The stealer is new on the cybercrime forums and can steal financial data using a clipper and keylogging operations.
Read More
Related rules
- SQLite Firefox Profile Data DB Access
- Cisco Collect Data
- ADFS Database Named Pipe Connection By Uncommon Tool
- AWS EC2 VM Export Failure
- Access to Browser Login Data