Threat Huntlowtest

Access To Browser Credential Files By Uncommon Applications

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François Hubaut, X__Junior (Nextron Systems)Created Sat Apr 09Updated Mon Jul 2991cb43db-302a-47e3-b3c8-7ede481e27bfwindows

Hunting Hypothesis

Log Source

Windowsfile_access

ProductWindows← raw: windows

Categoryfile_access← raw: file_access

Definition

Requirements: Microsoft-Windows-Kernel-File ETW provider

Detection Logic

detection:
    selection_ie:
        FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
    selection_firefox:
        FileName|endswith:
            - '\cookies.sqlite'
            - '\places.sqlite'
            - 'release\key3.db'  # Firefox
            - 'release\key4.db'  # Firefox
            - 'release\logins.json' # Firefox
    selection_chromium:
        FileName|contains:
            - '\User Data\Default\Login Data'
            - '\User Data\Local State'
    filter_main_system:
        Image: System
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Antivirus, Anti-Spyware, Anti-Malware Software

Backup software

Legitimate software installed on partitions other than "C:\"

Searching software such as "everything.exe"

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1003 · OS Credential Dumping

Other

detection.threat-hunting

Related Rules

SimilarThreat Huntlow

Access To Browser Credential Files By Uncommon Applications - Security

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

91cb43db-302a-47e3-b3c8-7ede481e27bf

Status

test

Level

low

Type

Threat Hunt

Created

Sat Apr 09

Modified

Mon Jul 29

Author

François Hubaut, X__Junior (Nextron Systems)

Path

rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml

Raw Tags

attack.t1003attack.credential-accessdetection.threat-hunting

View on GitHub