Unauthorized Access to Chrome Local State File

This threat brief focuses on detecting unauthorized access to the Chrome ‘Local State’ file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The ‘Local State’ file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it’s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.

Attack Chain

1. The attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).
2. Malware is deployed on the victim machine (e.g., RedLine Stealer).
3. The malware attempts to locate the Chrome ‘Local State’ file, typically found at *\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.
4. The malware process accesses the ‘Local State’ file, triggering a Windows Security Event 4663.
5. The malware extracts the encrypted master key from the ‘Local State’ file.
6. The malware decrypts the master key using attacker-controlled methods.
7. The decrypted master key is used to decrypt saved passwords stored by Chrome.
8. The stolen credentials are exfiltrated to the attacker’s command and control server.

Impact

Successful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.

Recommendation

• Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to ensure Windows Security Event 4663 is generated for file access, as described in the “how_to_implement” section.
• Deploy the Sigma rule “Detect Chrome Local State File Access by Non-Chrome Processes” to your SIEM to detect unauthorized access attempts (see “rules” section). Tune the rule’s filter list to reduce false positives related to legitimate software uninstallers.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the ‘Local State’ file, as described in the rule’s description.
• Consider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.