SQLite Chromium Profile Data DB Access

Severity: high
Author: TropChaud
Source: upstream

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1539` Steal Web Session Cookie, `T1555.003` Credentials from Password Stores: Credentials from Web Browsers
Collection	`T1005` Data from Local System

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_sql`

or:
Image|endswith: '\sqlite.exe'
Image|endswith: '\sqlite3.exe'
Product: SQLite

Stage 2: `all of selection_chromium`

or:
CommandLine|contains: '\ChromiumViewer\'
CommandLine|contains: '\Opera Software\'
CommandLine|contains: '\User Data\'

Stage 3: `all of selection_data`

or:
CommandLine|contains: Bookmarks
CommandLine|contains: Cookies
CommandLine|contains: History
CommandLine|contains: 'Login Data'
CommandLine|contains: 'Web Data'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`Bookmarks` corpus 2 (sigma 2) `Cookies` corpus 2 (sigma 2) `History` corpus 2 (sigma 2) `Login Data` corpus 2 (sigma 2) `Web Data` `\ChromiumViewer\` `\Opera Software\` `\User Data\`
`Image`	ends_with	`\sqlite.exe` corpus 2 (sigma 2) `\sqlite3.exe` corpus 2 (sigma 2)
`Product`	eq	`SQLite` corpus 2 (sigma 2)