Skip to content
Threat Feed
high threat

Unusual Process Accessing Browser Password Store

A Windows anomaly detection identifies non-browser processes accessing browser user data profiles, indicative of credential theft by malware such as SnakeKeylogger, which attempts to gather sensitive browser information.

This detection identifies a potentially malicious technique where non-browser applications attempt to access browser user data profiles on Windows systems. This behavior is characteristic of credential-stealing malware, such as SnakeKeylogger, which targets sensitive browser information and stored credentials. The technique involves unauthorized processes accessing files and directories typically associated with browser password stores and user data. This activity is flagged as anomalous because legitimate non-browser applications rarely, if ever, need to access these specific files. The detection logic relies on monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against a known list of legitimate browser applications (browser_app_list lookup table). The scope of this activity focuses on Windows endpoints, where many users store passwords and other sensitive data within their browsers.

Attack Chain

  1. The attacker gains initial access to the system, possibly through phishing or exploiting vulnerabilities.
  2. The attacker deploys malware such as SnakeKeylogger or similar credential-stealing Trojans.
  3. The malware attempts to identify the locations of browser user data profiles (e.g., Chrome, Firefox, Edge).
  4. The malware leverages Windows APIs to open handles to files within the browser user data profile directories.
  5. Windows Security Event Log generates Event ID 4663, indicating an attempt to access an object.
  6. The analytic detects the anomalous access by a non-browser process based on the browser_app_list lookup.
  7. The malware extracts stored credentials, cookies, and other sensitive data from the accessed files.
  8. The stolen data is exfiltrated to a remote server controlled by the attacker.

Impact

A successful attack can lead to the compromise of user credentials, granting the attacker unauthorized access to sensitive accounts, including email, banking, and social media. This could result in financial loss, identity theft, and further compromise of systems and networks. The Snake Keylogger has been observed in campaigns targeting various sectors, exfiltrating user data and credentials. This type of credential access can enable lateral movement within the compromised network, leading to wider-scale breaches and data theft.

Recommendation

  • Ingest Windows Security Event logs and specifically track Event Code 4663 to enable the detections described in this brief.
  • Enable "Audit Object Access" in Group Policy with success and failure auditing to generate Event ID 4663 as described in the "How To Implement" section of the source content.
  • Deploy the Sigma rule Suspicious Process Accessing Browser Password Store to your SIEM and tune the browser_app_list lookup table for your specific environment.
  • Investigate any alerts generated by the Sigma rule to identify potentially compromised systems and credentials.

Detection coverage 2

Suspicious Process Accessing Browser Password Store

high

Detects non-browser processes accessing browser user data profiles, indicative of credential theft.

sigma tactics: credential_access techniques: T1003 sources: file_event, windows

Suspicious Process Accessing Browser Password Store via Object Name

medium

Detects suspicious processes accessing browser password stores based on the object name, potentially indicating credential theft.

sigma tactics: credential_access techniques: T1003 sources: file_event, windows

Detection queries are available on the platform. Get full rules →