Convert indexed Sigma rules into analyst-ready detections.

title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
    Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
    Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
    - https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    product: windows
    service: security
    definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        ObjectName|contains: '\AppData\Roaming\Signal\'
        ObjectName|endswith:
            - '\config.json'
            - '\db.sqlite'
    filter_main_signal:
        ProcessName|endswith:
            - '\signal-portable.exe'
            - '\signal.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely, but possible from AV or backup software accessing the files.
level: medium