{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/sangria-tempest/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["FIN7","Carbon Spider","Sangria Tempest"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","threat-type","windows"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert detects non-Chrome processes accessing the Chrome user data directory, a common tactic used by malware and threat actors to steal sensitive information. This activity is detected using Windows Security Event logs, specifically event ID 4663. The Chrome default folder contains sensitive user data, including login credentials, browsing history, and cookies. This makes it a prime target for attackers aiming to harvest credentials or gain access to user accounts. The detection is designed to identify unauthorized access attempts by processes not typically associated with Chrome. This behavior is often linked to Remote Access Trojans (RATs), trojans, and advanced persistent threats (APTs) like FIN7, known for their focus on financial theft and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMalware gains initial access to the system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe malware identifies the location of the Chrome user data directory.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to access files within the Chrome user data directory, triggering Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware copies or exfiltrates sensitive data from the Chrome directory, such as login credentials and cookies.\u003c/li\u003e\n\u003cli\u003eThe malware may use stolen credentials to access other systems or services.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised accounts to perform unauthorized actions or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the theft of sensitive user data, including login credentials, browsing history, and cookies. This data can be used to compromise user accounts, steal financial information, or gain unauthorized access to other systems and services. Multiple analytic stories relate this behavior to credential stealers, RATs, and APTs. Victims may experience financial losses, identity theft, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both success and failure events as described in the \u0026ldquo;how_to_implement\u0026rdquo; section to ensure Event ID 4663 is captured.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNon Chrome Process Accessing Chrome Default Dir\u003c/code\u003e to your SIEM to detect unauthorized access attempts to Chrome user data directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eObjectName\u003c/code\u003e to understand the context of the access as noted in the search query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-chrome-default-dir-access/","summary":"Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.","title":"Non-Chrome Process Accessing Chrome Default Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chrome-default-dir-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Sangria Tempest","version":"https://jsonfeed.org/version/1.1"}