Detectionmediumtest

Potential Browser Data Stealing

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Dec 23Updated Wed Mar 1947147b5b-9e17-4d76-b8d2-7bac24c5ce1bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_cmd:
        - CommandLine|contains:
              - 'copy-item'
              - 'copy '
              - 'cpi '
              - ' cp '
              - 'move '
              - 'move-item'
              - ' mi '
              - ' mv '
        - Image|endswith:
              - '\esentutl.exe' # akira ransomware
              - '\xcopy.exe'
              - '\robocopy.exe'
        - OriginalFileName:
              - 'esentutl.exe'
              - 'XCOPY.EXE'
              - 'robocopy.exe'
    selection_path:
        CommandLine|contains:
            - '\Amigo\User Data'
            - '\BraveSoftware\Brave-Browser\User Data'
            - '\CentBrowser\User Data'
            - '\Chromium\User Data'
            - '\CocCoc\Browser\User Data'
            - '\Comodo\Dragon\User Data'
            - '\Elements Browser\User Data'
            - '\Epic Privacy Browser\User Data'
            - '\Google\Chrome Beta\User Data'
            - '\Google\Chrome SxS\User Data'
            - '\Google\Chrome\User Data\'
            - '\Kometa\User Data'
            - '\Maxthon5\Users'
            - '\Microsoft\Edge\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Nichrome\User Data'
            - '\Opera Software\Opera GX Stable\'
            - '\Opera Software\Opera Neon\User Data'
            - '\Opera Software\Opera Stable\'
            - '\Orbitum\User Data'
            - '\QIP Surf\User Data'
            - '\Sputnik\User Data'
            - '\Torch\User Data'
            - '\uCozMedia\Uran\User Data'
            - '\Vivaldi\User Data'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.