Merge PR #5057 from @Koifman - Add `Access To Browser Credential File…

…s By Uncommon Applications - Security` new: Access To Browser Credential Files By Uncommon Applications - Security --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: frack113 <[email protected]>
SigmaHQ · Oct 28, 2024 · 44176f0 · 44176f0
1 parent ad8ab49
commit 44176f0
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/...s-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml b/...s-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml
@@ -0,0 +1,56 @@
+title: Access To Browser Credential Files By Uncommon Applications - Security
+id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
+related:
+    - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
+      type: similar
+status: experimental
+description: |
+    Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
+references:
+    - https://ipurple.team/2024/09/10/browser-stored-credentials/
+author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali
+date: 2024-10-21
+tags:
+    - attack.credential-access
+    - attack.t1555.003
+    - detection.threat-hunting
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.'
+detection:
+    selection_eid:
+        EventID: 4663
+        ObjectType: 'File'
+        # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.
+        AccessMask: '0x1'
+    selection_browser_chromium:
+        ObjectName|contains:
+            - '\User Data\Default\Login Data'
+            - '\User Data\Local State'
+            - '\User Data\Default\Network\Cookies'
+    selection_browser_firefox:
+        FileName|endswith:
+            - '\cookies.sqlite'
+            - '\places.sqlite'
+            - 'release\key3.db'  # Firefox
+            - 'release\key4.db'  # Firefox
+            - 'release\logins.json' # Firefox
+    filter_main_system:
+        ProcessName: System
+    filter_main_generic:
+        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
+        ProcessName|startswith:
+            - 'C:\Program Files (x86)\'
+            - 'C:\Program Files\'
+            - 'C:\Windows\system32\'
+            - 'C:\Windows\SysWOW64\'
+    filter_optional_defender:
+        ProcessName|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
+        ProcessName|endswith:
+            - '\MpCopyAccelerator.exe'
+            - '\MsMpEng.exe'
+    condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml
@@ -1,5 +1,8 @@
 title: Access To Browser Credential Files By Uncommon Applications
 id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
+related:
+    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
+      type: similar
 status: experimental
 description: |
     Detects file access requests to browser credential stores by uncommon processes.