Potential Browser Data Stealing

calendar Oct 18, 2023 · attack.credential_access attack.t1555.003  ·
Share on: linkedin copy

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Sigma rule (View on GitHub)

 1title: Potential Browser Data Stealing
 2id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
 3related:
 4    - id: fc028194-969d-4122-8abe-0470d5b8f12f
 5      type: derived
 6status: experimental
 7description: |
 8    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
 9    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
10    Web browsers typically store the credentials in an encrypted format within a credential store.    
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022/12/23
15modified: 2023/08/29
16tags:
17    - attack.credential_access
18    - attack.t1555.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_cmd:
24        - CommandLine|contains:
25              - 'copy-item'
26              - 'copy '
27              - 'cpi '
28              - ' cp '
29              - 'move '
30              - 'move-item'
31              - ' mi '
32              - ' mv '
33        - Image|endswith:
34              - '\xcopy.exe'
35              - '\robocopy.exe'
36        - OriginalFileName:
37              - 'XCOPY.EXE'
38              - 'robocopy.exe'
39    selection_path:
40        CommandLine|contains:
41            - '\Amigo\User Data'
42            - '\BraveSoftware\Brave-Browser\User Data'
43            - '\CentBrowser\User Data'
44            - '\Chromium\User Data'
45            - '\CocCoc\Browser\User Data'
46            - '\Comodo\Dragon\User Data'
47            - '\Elements Browser\User Data'
48            - '\Epic Privacy Browser\User Data'
49            - '\Google\Chrome Beta\User Data'
50            - '\Google\Chrome SxS\User Data'
51            - '\Google\Chrome\User Data\'
52            - '\Kometa\User Data'
53            - '\Maxthon5\Users'
54            - '\Microsoft\Edge\User Data'
55            - '\Mozilla\Firefox\Profiles'
56            - '\Nichrome\User Data'
57            - '\Opera Software\Opera GX Stable\'
58            - '\Opera Software\Opera Neon\User Data'
59            - '\Opera Software\Opera Stable\'
60            - '\Orbitum\User Data'
61            - '\QIP Surf\User Data'
62            - '\Sputnik\User Data'
63            - '\Torch\User Data'
64            - '\uCozMedia\Uran\User Data'
65            - '\Vivaldi\User Data'
66    condition: all of selection_*
67falsepositives:
68    - Unknown
69level: medium

References

Related rules

to-top