{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/redline-stealer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["RedLine Stealer","other credential stealers"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome"],"_cs_severities":["high"],"_cs_tags":["credential-access","stealer","chrome"],"_cs_type":"threat","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies processes other than Chrome accessing the \u0026quot;Login Data\u0026quot; file, an SQLite database containing sensitive user information such as saved usernames and passwords. This file is typically located in the Chrome user profile directory. The activity is detected by monitoring Windows Security Event logs (EventCode 4663) for object access events. The analytic aims to detect unauthorized attempts by malware or threat actors to steal credentials stored within the Chrome browser. This activity is particularly concerning because successful credential theft can lead to unauthorized access to sensitive accounts and potential privilege escalation within the compromised environment. Observed threat actors leveraging this technique include RedLine Stealer, DarkGate Malware, NjRAT, Phemedrone Stealer, and other credential stealers and RATs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious program (e.g., RedLine Stealer) on the compromised endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious program attempts to access the Chrome \u0026quot;Login Data\u0026quot; file located in the user's profile directory (e.g., \u003ccode\u003eC:\\\\Users\\\\\u0026lt;username\u0026gt;\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Windows Security Event Log generates an Event ID 4663, recording the access attempt.\u003c/li\u003e\n\u003cli\u003eThe malicious program reads the \u0026quot;Login Data\u0026quot; SQLite database, extracting saved usernames, passwords, and website URLs.\u003c/li\u003e\n\u003cli\u003eThe extracted credentials are then exfiltrated to the attacker's command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access sensitive accounts, potentially leading to data breaches, financial fraud, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Chrome login data can expose user credentials for various online services, including banking, email, and social media accounts. A successful attack can lead to financial loss, identity theft, and unauthorized access to sensitive corporate resources. Organizations using Chrome as their primary browser are particularly vulnerable. The number of affected users depends on the scope of the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026quot;Audit Object Access\u0026quot; in Group Policy and configure auditing for both \u0026quot;Success\u0026quot; and \u0026quot;Failure\u0026quot; events to generate Windows Security Event 4663, as required by the Splunk search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Non-Chrome Process Accessing Chrome Login Data\u0026quot; to your SIEM to identify unauthorized access attempts to the Chrome \u0026quot;Login Data\u0026quot; file.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the source process and the context of the access.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict which processes can access sensitive files like the Chrome \u0026quot;Login Data\u0026quot; file.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and social engineering attacks, which are common initial access vectors for malware that steals credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-chrome-login-data-access/","summary":"This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', an SQLite database containing sensitive information like saved passwords, potentially indicating credential theft attempts.","title":"Non-Chrome Process Accessing Chrome Login Data","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chrome-login-data-access/"}],"language":"en","title":"CraftedSignal Threat Feed - RedLine Stealer","version":"https://jsonfeed.org/version/1.1"}