Detection rules › Sigma
File Access Of Signal Desktop Sensitive Data
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: selection
or:
ObjectName|endswith: '\config.json'
ObjectName|endswith: '\db.sqlite'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectType: File
Stage 2: not 1 of filter_main_signal
or:
ProcessName|endswith: '\signal-portable.exe'
ProcessName|endswith: '\signal.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ObjectName | ends_with |
|
ObjectName | match |
|
ObjectType | eq |
|
ProcessName | ends_with |
|