Potential Browser Data Stealing

calendar Apr 16, 2025 · attack.credential-access attack.t1555.003  ·
Share on: linkedin copy

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Sigma rule (View on GitHub)

 1title: Potential Browser Data Stealing
 2id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
 3related:
 4    - id: fc028194-969d-4122-8abe-0470d5b8f12f
 5      type: derived
 6status: test
 7description: |
 8    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
 9    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
10    Web browsers typically store the credentials in an encrypted format within a credential store.    
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
13    - https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-12-23
16modified: 2025-03-19
17tags:
18    - attack.credential-access
19    - attack.t1555.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_cmd:
25        - CommandLine|contains:
26              - 'copy-item'
27              - 'copy '
28              - 'cpi '
29              - ' cp '
30              - 'move '
31              - 'move-item'
32              - ' mi '
33              - ' mv '
34        - Image|endswith:
35              - '\esentutl.exe' # akira ransomware
36              - '\xcopy.exe'
37              - '\robocopy.exe'
38        - OriginalFileName:
39              - 'esentutl.exe'
40              - 'XCOPY.EXE'
41              - 'robocopy.exe'
42    selection_path:
43        CommandLine|contains:
44            - '\Amigo\User Data'
45            - '\BraveSoftware\Brave-Browser\User Data'
46            - '\CentBrowser\User Data'
47            - '\Chromium\User Data'
48            - '\CocCoc\Browser\User Data'
49            - '\Comodo\Dragon\User Data'
50            - '\Elements Browser\User Data'
51            - '\Epic Privacy Browser\User Data'
52            - '\Google\Chrome Beta\User Data'
53            - '\Google\Chrome SxS\User Data'
54            - '\Google\Chrome\User Data\'
55            - '\Kometa\User Data'
56            - '\Maxthon5\Users'
57            - '\Microsoft\Edge\User Data'
58            - '\Mozilla\Firefox\Profiles'
59            - '\Nichrome\User Data'
60            - '\Opera Software\Opera GX Stable\'
61            - '\Opera Software\Opera Neon\User Data'
62            - '\Opera Software\Opera Stable\'
63            - '\Orbitum\User Data'
64            - '\QIP Surf\User Data'
65            - '\Sputnik\User Data'
66            - '\Torch\User Data'
67            - '\uCozMedia\Uran\User Data'
68            - '\Vivaldi\User Data'
69    condition: all of selection_*
70falsepositives:
71    - Unknown
72level: medium

References

Related rules

to-top