Windows Credential Access from Browser Password Store Detection
This brief describes a detection for suspicious activity on Windows systems where an uncommon or unauthorized process attempts to access browser user data profiles, a common behavior observed in Trojan Stealers like SnakeKeylogger to harvest sensitive browser information and credentials for exfiltration.
Threat actors, often employing various Trojan Stealers such as SnakeKeylogger (mentioned in the source), frequently target web browser password stores and user profiles to extract sensitive information and credentials. This activity is a critical step in their data exfiltration strategy, enabling further compromise, financial fraud, or identity theft. The detection focuses on identifying processes that unexpectedly access browser user data directories on Windows systems. It specifically looks for instances where a process other than the legitimate browser application (e.g., chrome.exe accessing Chrome's user data) attempts to read or modify these sensitive files, indicating potential malicious activity. The methodology involves monitoring Windows Security Event Log 4663 for object access attempts and comparing the accessing process against a predefined list of allowed browser applications.
Attack Chain
- Initial Access: The attacker gains initial access to the victim's system, commonly through phishing emails containing malicious attachments or links, or compromised websites leading to drive-by downloads.
- Execution: The malicious payload, such as SnakeKeylogger, is executed on the victim's machine, often disguised as a legitimate application or document.
- Discovery: The malware identifies the presence of installed web browsers and their respective user data directories, which store credentials, cookies, and other sensitive information.
- Credential Access: The stealer malware initiates access to specific browser user data profiles and password stores (e.g.,
Login Dataorkey4.dbfiles), attempting to read or decrypt stored credentials. This step often involves a non-browser process accessing these files. - Collection: Once accessed, the malware collects the harvested credentials, autofill data, cookies, and other valuable information from the browser's database files.
- Exfiltration: The collected sensitive data is then encrypted and exfiltrated to the attacker's command and control (C2) server over various channels, typically HTTP/HTTPS.
- Impact: The exfiltrated credentials are used for unauthorized access to online accounts, financial fraud, further network compromise, or sale on underground forums.
Impact
Successful exploitation results in significant data compromise, including user credentials, financial information, and personal data stored within web browsers. This can lead to unauthorized access to corporate and personal accounts, financial fraud, and identity theft. While the source does not provide specific victim counts, stealer malware campaigns are widespread and impact individuals and organizations across all sectors globally. The exfiltration of credentials can serve as a stepping stone for further lateral movement within an organization's network, escalating the initial compromise to a full-scale breach.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect suspicious browser credential access attempts by unauthorized processes.
- Enable Windows Security Event Log 4663 by configuring "Audit Object Access" for both "Success" and "Failure" events in Group Policy.
- Tune the
browser_app_listlookup (or equivalent whitelist) within your detection system to accurately reflect legitimate browser applications and their expected access paths, reducing false positives. - Implement strong phishing awareness training for all users to reduce the likelihood of initial access by stealer malware.
Detection coverage 1
Suspicious Process Accessing Browser User Data
highDetects non-standard processes attempting to access sensitive browser user data directories, indicative of stealer malware activity like SnakeKeylogger. This rule targets Windows Event Code 4663 for file access.
Detection queries are available on the platform. Get full rules →