SQLite Firefox Profile Data DB Access

 1title: SQLite Firefox Profile Data DB Access
 2id: 4833155a-4053-4c9c-a997-777fcea0baa7
 3status: test
 4description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
 7    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
 8author: frack113
 9date: 2022-04-08
10modified: 2023-01-19
11tags:
12    - attack.credential-access
13    - attack.t1539
14    - attack.collection
15    - attack.t1005
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_sql:
21        - Product: SQLite
22        - Image|endswith:
23              - '\sqlite.exe'
24              - '\sqlite3.exe'
25    selection_firefox:
26        CommandLine|contains:
27            - 'cookies.sqlite'
28            - 'places.sqlite' # Bookmarks, history
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: high

References

• atomic-red-team/atomics/T1539/T1539.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Cyble - Prynt Stealer Spotted In The Wild

  

  The stealer is new on the cybercrime forums and can steal financial data using a clipper and keylogging operations.

  
  Read More

Related rules

• SQLite Chromium Profile Data DB Access
• Cisco Collect Data
• ADFS Database Named Pipe Connection By Uncommon Tool
• AWS EC2 VM Export Failure
• Automated Collection Command Prompt