Threat Huntlowtest

Access To Browser Credential Files By Uncommon Applications - Security

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Daniel Koifman, Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 214b60e527-ec73-4b47-8cb3-f02ad927ca65windows

Hunting Hypothesis

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.

Detection Logic

detection:
    selection_eid:
        EventID: 4663
        ObjectType: 'File'
        # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.
        AccessMask: '0x1'
    selection_browser_chromium:
        ObjectName|contains:
            - '\User Data\Default\Login Data'
            - '\User Data\Local State'
            - '\User Data\Default\Network\Cookies'
    selection_browser_firefox:
        FileName|endswith:
            - '\cookies.sqlite'
            - '\places.sqlite'
            - 'release\key3.db'  # Firefox
            - 'release\key4.db'  # Firefox
            - 'release\logins.json' # Firefox
    filter_main_system:
        ProcessName: System
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        ProcessName|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        ProcessName|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        ProcessName|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

ipurple.team

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1555.003 · Credentials from Web Browsers

Other

detection.threat-hunting

Related Rules

SimilarThreat Huntlow

Access To Browser Credential Files By Uncommon Applications

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

4b60e527-ec73-4b47-8cb3-f02ad927ca65

Status

test

Level

low

Type

Threat Hunt

Created

Mon Oct 21

Author

Daniel Koifman, Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml

Raw Tags

attack.credential-accessattack.t1555.003detection.threat-hunting

View on GitHub