Unusual Process Accessing Browser Password Store
A Windows anomaly detection identifies non-browser processes accessing browser user data profiles, indicative of credential theft by malware such as SnakeKeylogger, which attempts to gather sensitive browser information.
This detection identifies a potentially malicious technique where non-browser applications attempt to access browser user data profiles on Windows systems. This behavior is characteristic of credential-stealing malware, such as SnakeKeylogger, which targets sensitive browser information and stored credentials. The technique involves unauthorized processes accessing files and directories typically associated with browser password stores and user data. This activity is flagged as anomalous because legitimate non-browser applications rarely, if ever, need to access these specific files. The detection logic relies on monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against a known list of legitimate browser applications (browser_app_list lookup table). The scope of this activity focuses on Windows endpoints, where many users store passwords and other sensitive data within their browsers.
Attack Chain
- The attacker gains initial access to the system, possibly through phishing or exploiting vulnerabilities.
- The attacker deploys malware such as SnakeKeylogger or similar credential-stealing Trojans.
- The malware attempts to identify the locations of browser user data profiles (e.g., Chrome, Firefox, Edge).
- The malware leverages Windows APIs to open handles to files within the browser user data profile directories.
- Windows Security Event Log generates Event ID 4663, indicating an attempt to access an object.
- The analytic detects the anomalous access by a non-browser process based on the
browser_app_listlookup. - The malware extracts stored credentials, cookies, and other sensitive data from the accessed files.
- The stolen data is exfiltrated to a remote server controlled by the attacker.
Impact
A successful attack can lead to the compromise of user credentials, granting the attacker unauthorized access to sensitive accounts, including email, banking, and social media. This could result in financial loss, identity theft, and further compromise of systems and networks. The Snake Keylogger has been observed in campaigns targeting various sectors, exfiltrating user data and credentials. This type of credential access can enable lateral movement within the compromised network, leading to wider-scale breaches and data theft.
Recommendation
- Ingest Windows Security Event logs and specifically track Event Code 4663 to enable the detections described in this brief.
- Enable "Audit Object Access" in Group Policy with success and failure auditing to generate Event ID 4663 as described in the "How To Implement" section of the source content.
- Deploy the Sigma rule
Suspicious Process Accessing Browser Password Storeto your SIEM and tune thebrowser_app_listlookup table for your specific environment. - Investigate any alerts generated by the Sigma rule to identify potentially compromised systems and credentials.
Detection coverage 2
Suspicious Process Accessing Browser Password Store
highDetects non-browser processes accessing browser user data profiles, indicative of credential theft.
Suspicious Process Accessing Browser Password Store via Object Name
mediumDetects suspicious processes accessing browser password stores based on the object name, potentially indicating credential theft.
Detection queries are available on the platform. Get full rules →