Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Sigma rule (View on GitHub)
1title: Potential Browser Data Stealing
2id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
3related:
4 - id: fc028194-969d-4122-8abe-0470d5b8f12f
5 type: derived
6status: experimental
7description: |
8 Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
9 Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
10 Web browsers typically store the credentials in an encrypted format within a credential store.
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022/12/23
15modified: 2023/08/29
16tags:
17 - attack.credential_access
18 - attack.t1555.003
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_cmd:
24 - CommandLine|contains:
25 - 'copy-item'
26 - 'copy '
27 - 'cpi '
28 - ' cp '
29 - 'move '
30 - 'move-item'
31 - ' mi '
32 - ' mv '
33 - Image|endswith:
34 - '\xcopy.exe'
35 - '\robocopy.exe'
36 - OriginalFileName:
37 - 'XCOPY.EXE'
38 - 'robocopy.exe'
39 selection_path:
40 CommandLine|contains:
41 - '\Amigo\User Data'
42 - '\BraveSoftware\Brave-Browser\User Data'
43 - '\CentBrowser\User Data'
44 - '\Chromium\User Data'
45 - '\CocCoc\Browser\User Data'
46 - '\Comodo\Dragon\User Data'
47 - '\Elements Browser\User Data'
48 - '\Epic Privacy Browser\User Data'
49 - '\Google\Chrome Beta\User Data'
50 - '\Google\Chrome SxS\User Data'
51 - '\Google\Chrome\User Data\'
52 - '\Kometa\User Data'
53 - '\Maxthon5\Users'
54 - '\Microsoft\Edge\User Data'
55 - '\Mozilla\Firefox\Profiles'
56 - '\Nichrome\User Data'
57 - '\Opera Software\Opera GX Stable\'
58 - '\Opera Software\Opera Neon\User Data'
59 - '\Opera Software\Opera Stable\'
60 - '\Orbitum\User Data'
61 - '\QIP Surf\User Data'
62 - '\Sputnik\User Data'
63 - '\Torch\User Data'
64 - '\uCozMedia\Uran\User Data'
65 - '\Vivaldi\User Data'
66 condition: all of selection_*
67falsepositives:
68 - Unknown
69level: medium
References
Related rules
- Access to Browser Login Data
- Active Directory Replication from Non Machine Account
- Anonymous IP Address
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files