Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: Script Block Logging must be enabled
detection:
selection_cmd:
ScriptBlockText|contains|all:
- Copy-Item
- '-Destination'
selection_path:
ScriptBlockText|contains:
- '\Opera Software\Opera Stable\Login Data'
- '\Mozilla\Firefox\Profiles'
- '\Microsoft\Edge\User Data\Default'
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Login Data For Account'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Sub-techniques
98f4c75c-3089-44f3-b733-b327b9cd9c9d
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Detects similar activity. Both rules may fire on overlapping events.