Skip to content
Threat Feed
high advisory

Suspicious Access to Chrome Extension Directories

Non-Chrome processes accessing Chrome extension directories can indicate credential theft or data exfiltration attempts by malware such as RedLine Stealer.

This threat brief addresses the risk of unauthorized access to Google Chrome extension directories. Attackers, including credential stealers like RedLine Stealer, target these directories to extract sensitive information such as stored credentials, cookies, and browsing history. The detection focuses on identifying processes that are not Chrome or system-related executables accessing the Local Extension Settings directory. This activity signifies a potential compromise, where malware or unauthorized applications attempt to steal user data stored by Chrome extensions. Successful exploitation allows adversaries to gain access to user accounts, financial information, and other sensitive data. The analytic leverages Windows Security Event logs (4663) to detect this anomalous behavior.

Attack Chain

  1. The attacker gains initial access to the system through an unknown vector (e.g., malicious email attachment, drive-by download).
  2. The attacker deploys a credential stealer such as RedLine Stealer on the victim machine.
  3. The malware attempts to access the Chrome browser's Local Extension Settings directory: *\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*.
  4. Windows Security Event 4663 is generated, logging the process attempting to access the Chrome extension directory.
  5. The malware reads the contents of the extension settings, searching for sensitive information like passwords, API keys, and authentication tokens.
  6. The stolen credentials and other data are exfiltrated to a command-and-control (C2) server controlled by the attacker.
  7. The attacker uses the stolen credentials to access the victim's online accounts, potentially leading to financial fraud, identity theft, or further compromise of the victim's network.

Impact

Successful exploitation can lead to the theft of credentials, cookies, and other sensitive data stored by Chrome extensions. This stolen information can be used to compromise user accounts, access financial information, and conduct identity theft. The impact can range from individual account compromise to broader organizational breaches, depending on the scope of the attacker's access and the sensitivity of the stolen data. Several malware families, including RedLine Stealer, StealC, DarkGate, Amadey, Meduza Stealer, Phemedrone Stealer, Braodo Stealer, MoonPeak, 0bj3ctivity Stealer, and BlankGrabber Stealer, have been observed targeting Chrome extension data.

Recommendation

  • Enable "Audit Object Access" in Group Policy with Success and Failure auditing for file access to activate event code 4663 (Windows Event Log Security).
  • Deploy the Sigma rule "Detect Suspicious Chrome Extension Access" to your SIEM and tune for your environment to detect unauthorized access attempts to Chrome extension directories.
  • Investigate any alerts generated by the Sigma rule to identify potentially compromised systems and assess the scope of the breach.
  • Monitor for network connections originating from processes accessing Chrome extension data, looking for suspicious outbound traffic to unknown destinations (Network Connection Logs).
  • Implement multi-factor authentication (MFA) on all critical accounts to mitigate the impact of stolen credentials.

Detection coverage 2

Detect Suspicious Chrome Extension Access

high

Detects non-standard processes accessing Chrome extension directories, which is indicative of credential theft attempts.

sigma tactics: credential_access techniques: T1003, T1012 sources: file_event, windows

Detect Chrome Extension Directory Access via Windows Event Log

high

Detects processes accessing Chrome extension directories by monitoring Windows Security Event logs (event code 4663).

sigma tactics: credential_access techniques: T1003, T1012 sources: file_event, windows

Detection queries are available on the platform. Get full rules →