Date: 10/29/2024
Severity: Low
Summary: Identifies file access requests to browser credential stores by unusual processes, which may suggest an attempted credential theft. Extensive baselining is necessary prior to use.
Indicators of Compromise (IOC) List
FileName : | '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat' '\cookies.sqlite' '\places.sqlite' 'release\key3.db' 'release\key4.db' 'release\logins.json' '\User Data\Default\Login Data' '\User Data\Local State' |
Image : | System 'C:\Program Files (x86)\' 'C:\Program Files\' 'C:\Windows\system32\' 'C:\Windows\SysWOW64\' 'C:\ProgramData\Microsoft\Windows Defender\' '\MpCopyAccelerator.exe' '\MsMpEng.exe' '\thor.exe' '\thor64.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1: | (resourcename = "Windows Security" AND eventtype in ("4663" ) ) AND objectname in ("\cookies.sqlite","\places.sqlite","release\key3.db","release\key4.db","release\logins.json","\User Data\Default\Login Data","\User Data\Local State") AND processname not in ("System","C:\Program Files (x86)","C:\Program Files","C:\Windows\system32","C:\Windows\SysWOW64","C:\ProgramData\Microsoft\Windows Defender","\MpCopyAccelerator.exe","\MsMpEng.exe","\thor.exe","\thor64.exe") |
Detection Query 2: | (technologygroup = "EDR") AND objectname in ("\cookies.sqlite","\places.sqlite","release\key3.db","release\key4.db","release\logins.json","\User Data\Default\Login Data","\User Data\Local State") AND processname not in ("System","C:\Program Files (x86)","C:\Program Files","C:\Windows\system32","C:\Windows\SysWOW64","C:\ProgramData\Microsoft\Windows Defender","\MpCopyAccelerator.exe","\MsMpEng.exe","\thor.exe","\thor64.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml