Detection rules › Splunk
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1555.003 Credentials from Password Stores: Credentials from Web Browsers |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Filesystem.file_name IN ("Local State", "Login Data") Filesystem.file_path="*\\temp\\*" BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_name | in |
|
Filesystem.file_path | eq |
|