{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/snake-keylogger/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Snake Keylogger"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","stealer","windows"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to browser password stores, a technique commonly employed by credential-stealing malware such as Snake Keylogger. These attackers aim to exfiltrate sensitive information, including stored credentials and browsing history, by accessing browser user data profiles. This activity is detected by monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against an expected list of browser applications via the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup table. The detection identifies processes that are not recognized as legitimate browser applications but are attempting to access browser user data. This technique has been observed in trojan stealers, where credential access is a key component of their information-gathering strategy. This method allows defenders to quickly pivot and discover potentially malicious processes on the system, such as credential stealers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads and executes a malicious file, often disguised as a legitimate application or document.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, dropping a stealer component into the system.\u003c/li\u003e\n\u003cli\u003eThe stealer process initiates an attempt to access browser user data profiles.\u003c/li\u003e\n\u003cli\u003eWindows generates a Security Event Log (EventCode 4663) when the stealer attempts to access a browser data file.\u003c/li\u003e\n\u003cli\u003eThe detection analytic identifies processes accessing the browser data folder not present in the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup file.\u003c/li\u003e\n\u003cli\u003eThe stealer process reads sensitive information, such as usernames, passwords, and browsing history, from the accessed files.\u003c/li\u003e\n\u003cli\u003eThe collected data is staged for exfiltration, potentially compressed or encrypted.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials and information are exfiltrated to a command-and-control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of user credentials, potentially granting attackers unauthorized access to sensitive accounts and systems. This can result in data breaches, financial loss, and reputational damage. The Snake Keylogger, for example, is known to target credentials, potentially impacting a wide range of users and organizations. Other stealers like Meduza Stealer, 0bj3ctivity Stealer, and BlankGrabber Stealer also utilize similar techniques, showing the widespread impact. The impact spans across various sectors, as credential theft is a generic attack applicable to almost any environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logging, specifically event code 4663, with auditing enabled for both success and failure events, to capture object access attempts (reference: search description).\u003c/li\u003e\n\u003cli\u003ePopulate and maintain the \u003ccode\u003ebrowser_app_list\u003c/code\u003e lookup table with known and allowed browser processes and their associated paths (reference: search description).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect anomalous processes accessing browser password stores, and tune it for your specific environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to identify potentially compromised systems and user accounts (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-browser-credential-access/","summary":"Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.","title":"Suspicious Process Accessing Browser Password Store","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Snake Keylogger","version":"https://jsonfeed.org/version/1.1"}