Detection rules › Splunk
Windows Credential Access From Browser Password Store
The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file browser_app_list that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1012 Query Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: search
search EventCode=4663
Stage 2: stats
stats BY _time, object_file_path, object_file_name, dest, process_name, process_path, process_id, EventCode
Stage 3: lookup
lookup <lookup> browser_object_path, browser_process_name, isAllowed, object_file_path
Stage 4: stats
stats BY dest, process_name, process_path, process_id, EventCode, isAllowed
Stage 5: rex
rex field=process_name ...
Stage 6: eval
eval ... using (browser_process_name, extracted_process_name)
Stage 7: where
where isAllowed="false" isMalicious=1
Stage 8: search
search
Stage 9: search
search
Stage 10: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
isAllowed | eq |
|
isMalicious | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- ConnectWise ScreenConnect Path Traversal Windows SACL (adds 3 filters)
- Windows Non Discord App Access Discord LevelDB (adds 3 filters)
- Non Chrome Process Accessing Chrome Default Dir (adds 2 filters)
- Non Firefox Process Access Firefox Profile Dir (adds 2 filters)
- SAM Database File Access Attempt (adds 2 filters)
- Windows Credentials from Password Stores Chrome Extension Access (adds 2 filters)
- Windows Credentials from Password Stores Chrome LocalState Access (adds 2 filters)
- Windows Credentials from Password Stores Chrome Login Data Access (adds 2 filters)
- Windows Hosts File Access (adds 2 filters)
- Windows Query Registry Browser List Application (adds 2 filters)
- Windows Unsecured Outlook Credentials Access In Registry (adds 2 filters)
- Windows Unusual FileZilla XML Config Access (adds 2 filters)
- Windows Unusual Intelliform Storage Registry Access (adds 2 filters)
- Windows Product Key Registry Query (adds 1 filter)
- Windows Query Registry UnInstall Program List (adds 1 filter)