Skip to content
Threat Feed
high advisory

Non-Chrome Process Accessing Chrome Default Directory

This brief describes the detection of unauthorized access by non-Chrome processes to the Chrome user default folder, a behavior associated with RATs, trojans, and APTs like FIN7, aiming to exfiltrate sensitive data such as login credentials, browsing history, and cookies.

This threat brief focuses on the malicious activity involving non-Chrome processes attempting to access sensitive files within the Google Chrome user default folder. This technique is often employed by various adversaries, including sophisticated advanced persistent threats (APTs) like FIN7, as well as common remote access Trojans (RATs) and other malware families (e.g., StealC, Phemedrone Stealer, RedLine Stealer, AgentTesla). The activity typically occurs post-compromise, where an attacker has gained execution on a victim's system. The Chrome user default folder is a treasure trove of sensitive user data, including stored login credentials, browsing history, cookies, and other personal information. Unauthorized access to these files, observable via Windows Security Event logs (Event Code 4663), indicates a high probability of data theft and potential further system compromise. This behavior highlights the critical need for robust endpoint detection and response capabilities to protect user data from exfiltration.

Attack Chain

  1. Initial Compromise: The attacker gains initial access to the victim's system, typically through phishing emails containing malicious attachments or links, exploitation of vulnerable software, or supply chain attacks (e.g., 3CX Supply Chain Attack mentioned in analytic story).
  2. Malware Delivery and Execution: A trojan, RAT, or infostealer payload is delivered and executed on the victim's endpoint, establishing a foothold and often achieving persistence.
  3. Process Launch: The malicious payload launches a new process (e.g., malware.exe, beacon.exe, or a legitimate process used for injection/living off the land) that is not a recognized legitimate Chrome process.
  4. Sensitive Data Access: The launched non-Chrome process attempts to access files within the %LOCALAPPDATA%\Google\Chrome\User Data\Default\ directory or similar paths containing Chrome user data. This action triggers Windows Security Event Code 4663.
  5. Data Collection: The malicious process reads and collects sensitive information, such as saved browser credentials, session cookies, browsing history, and autofill data from the accessed files.
  6. Data Staging: The collected data is typically staged in a temporary location on the victim's system, often compressed or encrypted, in preparation for exfiltration.
  7. Data Exfiltration: The staged sensitive data is then transmitted to attacker-controlled command-and-control (C2) infrastructure via various network protocols (e.g., HTTP, HTTPS, DNS, FTP).

Impact

Successful execution of this attack chain leads to the severe compromise of sensitive user information. Victims face direct risks of credential theft, potentially leading to account takeovers across multiple online services (email, banking, cloud platforms) and further lateral movement within an organization's network. Session hijacking through stolen cookies can bypass multi-factor authentication. The exfiltration of browsing history can provide attackers with valuable intelligence for targeted social engineering or espionage campaigns. Given the association with sophisticated groups like FIN7 and various RATs, successful attacks can precede large-scale financial fraud, intellectual property theft, or widespread data breaches, impacting both individuals and organizations financially and reputationally.

Recommendation

  • Enable Auditing: Ensure Windows Security Event logging for Event Code 4663 (Object Access) is fully enabled and configured to log both success and failure events for file system objects as described in the how_to_implement section of the brief.
  • Deploy Sigma Rule: Deploy the Detect Non-Chrome Process Accessing Chrome Default Directory Sigma rule to your SIEM/EDR platform to detect suspicious access attempts.
  • Tune False Positives: Review and tune the deployed Sigma rule for potential false positives, specifically by creating exceptions for legitimate processes that might interact with Chrome's user data, such as other Chromium-based browsers or security tooling, as noted in falsepositives.
  • Implement Application Control: Utilize application control solutions (e.g., Windows Defender Application Control, AppLocker) to restrict unauthorized processes from executing or accessing sensitive directories.
  • Regular Patching and Updates: Ensure all operating systems, web browsers, and third-party applications are regularly patched and updated to remediate vulnerabilities exploited in initial access stages.

Detection coverage 1

Detect Non-Chrome Process Accessing Chrome Default Directory

high

Detects non-Chrome process accessing the Chrome user default data directory, which often contains sensitive information like credentials and cookies. This indicates potential data theft or infostealer activity.

sigma tactics: credential_access techniques: T1555.003 sources: file_event, windows

Detection queries are available on the platform. Get full rules →