Threat Huntlowtest
Access To Chromium Browsers Sensitive Files By Uncommon Applications
Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
Windowsfile_access
ProductWindows← raw: windows
Categoryfile_access← raw: file_access
Definition
Requirements: Microsoft-Windows-Kernel-File ETW provider
Detection Logic
Detection Logic4 selectors
detection:
selection:
FileName|contains:
- '\User Data\Default\Cookies'
- '\User Data\Default\History'
- '\User Data\Default\Network\Cookies'
- '\User Data\Default\Web Data'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Antivirus, Anti-Spyware, Anti-Malware Software
Backup software
Legitimate software installed on partitions other than "C:\"
Searching software such as "everything.exe"
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Tactics
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
c5f37810-a85f-4186-81e9-33f23abb4141
Status
test
Level
low
Type
Threat Hunt
Created
Mon Jul 29
Path
rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml
Raw Tags
attack.t1003attack.credential-accessdetection.threat-hunting