{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/password-stealing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise Security","Splunk Enterprise","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to the Chrome \u0026lsquo;Local State\u0026rsquo; file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The \u0026lsquo;Local State\u0026rsquo; file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it\u0026rsquo;s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the victim machine (e.g., RedLine Stealer).\u003c/li\u003e\n\u003cli\u003eThe malware attempts to locate the Chrome \u0026lsquo;Local State\u0026rsquo; file, typically found at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware process accesses the \u0026lsquo;Local State\u0026rsquo; file, triggering a Windows Security Event 4663.\u003c/li\u003e\n\u003cli\u003eThe malware extracts the encrypted master key from the \u0026lsquo;Local State\u0026rsquo; file.\u003c/li\u003e\n\u003cli\u003eThe malware decrypts the master key using attacker-controlled methods.\u003c/li\u003e\n\u003cli\u003eThe decrypted master key is used to decrypt saved passwords stored by Chrome.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to the attacker\u0026rsquo;s command and control server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to ensure Windows Security Event 4663 is generated for file access, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Local State File Access by Non-Chrome Processes\u0026rdquo; to your SIEM to detect unauthorized access attempts (see \u0026ldquo;rules\u0026rdquo; section). Tune the rule\u0026rsquo;s filter list to reduce false positives related to legitimate software uninstallers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the \u0026lsquo;Local State\u0026rsquo; file, as described in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConsider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-localstate-access/","summary":"Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.","title":"Unauthorized Access to Chrome Local State File","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-localstate-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Chrome","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","password-stealing","windows"],"_cs_type":"advisory","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access to Chrome\u0026rsquo;s \u0026ldquo;Login Data\u0026rdquo; file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The \u0026ldquo;Login Data\u0026rdquo; file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious executable or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to access the Chrome \u0026ldquo;Login Data\u0026rdquo; file, typically located at \u003ccode\u003e*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event Log generates an event with EventCode 4663, recording the file access attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process reads the \u0026ldquo;Login Data\u0026rdquo; SQLite database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts and potentially decrypts stored usernames and passwords from the \u0026ldquo;Login Data\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Chrome \u0026ldquo;Login Data\u0026rdquo; files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user\u0026rsquo;s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Object Access\u0026rdquo; in Group Policy and configure auditing for both \u0026ldquo;Success\u0026rdquo; and \u0026ldquo;Failure\u0026rdquo; events to generate Windows Security Event 4663, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess_path\u003c/code\u003e filter to exclude legitimate software in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eChrome Login Data Accessed by Non-Browser Process\u003c/code\u003e Sigma rule to determine if credential theft has occurred and remediate any affected accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-chrome-login-data-access/","summary":"This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', which is an SQLite database containing sensitive information like saved passwords, potentially leading to credential theft.","title":"Non-Chrome Process Accessing Chrome Login Data","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-login-data-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Password-Stealing","version":"https://jsonfeed.org/version/1.1"}