Sangria Tempest — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/actors/sangria-tempest/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 10:00:00 +0000Non-Chrome Process Accessing Chrome Default Directoryhttps://feed.craftedsignal.io/briefs/2024-01-03-chrome-default-dir-access/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-chrome-default-dir-access/Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.This alert detects non-Chrome processes accessing the Chrome user data directory, a common tactic used by malware and threat actors to steal sensitive information. This activity is detected using Windows Security Event logs, specifically event ID 4663. The Chrome default folder contains sensitive user data, including login credentials, browsing history, and cookies. This makes it a prime target for attackers aiming to harvest credentials or gain access to user accounts. The detection is designed to identify unauthorized access attempts by processes not typically associated with Chrome. This behavior is often linked to Remote Access Trojans (RATs), trojans, and advanced persistent threats (APTs) like FIN7, known for their focus on financial theft and data breaches.

Attack Chain

  1. Malware gains initial access to the system, potentially through phishing or exploiting a software vulnerability.
  2. The malware establishes persistence on the system.
  3. The malware identifies the location of the Chrome user data directory.
  4. The malware attempts to access files within the Chrome user data directory, triggering Windows Security Event 4663.
  5. The malware copies or exfiltrates sensitive data from the Chrome directory, such as login credentials and cookies.
  6. The malware may use stolen credentials to access other systems or services.
  7. The attacker uses compromised accounts to perform unauthorized actions or move laterally within the network.

Impact

A successful attack can result in the theft of sensitive user data, including login credentials, browsing history, and cookies. This data can be used to compromise user accounts, steal financial information, or gain unauthorized access to other systems and services. Multiple analytic stories relate this behavior to credential stealers, RATs, and APTs. Victims may experience financial losses, identity theft, or reputational damage.

Recommendation

  • Enable “Audit Object Access” in Group Policy and configure auditing for both success and failure events as described in the “how_to_implement” section to ensure Event ID 4663 is captured.
  • Deploy the Sigma rule Non Chrome Process Accessing Chrome Default Dir to your SIEM to detect unauthorized access attempts to Chrome user data directories.
  • Investigate any alerts generated by this rule, focusing on the ProcessName and ObjectName to understand the context of the access as noted in the search query.
]]>highthreatcredential-accessthreat-typewindows