SQLite Chromium Profile Data DB Access

calendar Dec 1, 2023 · attack.credential_access attack.t1539 attack.t1555.003 attack.collection attack.t1005  ·
Share on: linkedin copy

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Sigma rule (View on GitHub)

 1title: SQLite Chromium Profile Data DB Access
 2id: 24c77512-782b-448a-8950-eddb0785fc71
 3status: test
 4description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
 7    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
 8author: TropChaud
 9date: 2022/12/19
10modified: 2023/01/19
11tags:
12    - attack.credential_access
13    - attack.t1539
14    - attack.t1555.003
15    - attack.collection
16    - attack.t1005
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_sql:
22        - Product: SQLite
23        - Image|endswith:
24              - '\sqlite.exe'
25              - '\sqlite3.exe'
26    selection_chromium:
27        CommandLine|contains:
28            - '\User Data\' # Most common folder for user profile data among Chromium browsers
29            - '\Opera Software\' # Opera
30            - '\ChromiumViewer\' # Sleipnir (Fenrir)
31    selection_data:
32        CommandLine|contains:
33            - 'Login Data' # Passwords
34            - 'Cookies'
35            - 'Web Data' # Credit cards, autofill data
36            - 'History'
37            - 'Bookmarks'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top