Non-Chrome Process Accessing Chrome Login Data

This threat brief focuses on detecting unauthorized access to Chrome’s “Login Data” file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The “Login Data” file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.

Attack Chain

1. The attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
2. The attacker executes a malicious executable or script on the compromised system.
3. The malicious process attempts to access the Chrome “Login Data” file, typically located at *\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.
4. Windows Security Event Log generates an event with EventCode 4663, recording the file access attempt.
5. The attacker’s process reads the “Login Data” SQLite database.
6. The attacker extracts and potentially decrypts stored usernames and passwords from the “Login Data” file.
7. The attacker uses the stolen credentials for lateral movement within the network.
8. The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Compromised Chrome “Login Data” files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user’s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.

Recommendation

• Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to generate Windows Security Event 4663, as described in the “how_to_implement” section.
• Deploy the Sigma rule Chrome Login Data Accessed by Non-Browser Process to your SIEM and tune the process_path filter to exclude legitimate software in your environment.
• Investigate any alerts generated by the Chrome Login Data Accessed by Non-Browser Process Sigma rule to determine if credential theft has occurred and remediate any affected accounts.