Access To Browser Credential Files By Uncommon Applications - Security

    Wednesday, October 30, 2024 In: Threat Research Print

    Date: 10/30/2024

    Severity: Medium

    Summary

    The report "Access to Browser Credential Files by Uncommon Applications - Security" addresses the detection of file access requests to browser credential stores made by uncommon processes. Such access may indicate potential credential theft attempts. The implementation of this detection rule necessitates extensive baselining to establish a reliable reference for normal behavior before it can be effectively used.

    Indicators of Compromise (IOC) List

    EventID

    4663

    ObjectType

    'File'

    ObjectName

    '\User Data\Default\Login Data'

    '\User Data\Local State'

    '\User Data\Default\Network\Cookies'

    '\cookies.sqlite'

    '\places.sqlite'

    'release\key3.db'

    'release\key4.db'

    'release\logins.json'

    ProcessName

    System

    'C:\Program Files (x86)\'

    'C:\Program Files\'

    'C:\Windows\system32\'

    'C:\Windows\SysWOW64\'

    'C:\ProgramData\Microsoft\Windows Defender\'

    '\MpCopyAccelerator.exe'

    '\MsMpEng.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((((resourcename = "Windows Security" AND eventtype = "4663") AND objecttype like "File") AND objectname in ("\User Data\Default\Login Data","\User Data\Local State","\User Data\Default\Network\Cookies","\cookies.sqlite","\places.sqlite","release\key3.db","release\key4.db","release\logins.json")) AND processname in ("System","C:\Program Files (x86)","C:\Program Files","C:\Windows\system32","C:\Windows\SysWOW64","C:\ProgramData\Microsoft\Windows Defender","\MpCopyAccelerator.exe","\MsMpEng.exe"))

    Detection Query 2

    ((((technologygroup = "EDR") AND objecttype like "File") AND objectname in ("\User Data\Default\Login Data","\User Data\Local State","\User Data\Default\Network\Cookies","\cookies.sqlite","\places.sqlite","release\key3.db","release\key4.db","release\logins.json")) AND processname in ("System","C:\Program Files (x86)","C:\Program Files","C:\Windows\system32","C:\Windows\SysWOW64","C:\ProgramData\Microsoft\Windows Defender","\MpCopyAccelerator.exe","\MsMpEng.exe"))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml 


    Tags

    MalwareSigmaCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.