Unauthorized Access to Chrome Local State File

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting unauthorized access to the Chrome ‘Local State’ file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The ‘Local State’ file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it’s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.

Attack Chain

The attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).
Malware is deployed on the victim machine (e.g., RedLine Stealer).
The malware attempts to locate the Chrome ‘Local State’ file, typically found at *\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.
The malware process accesses the ‘Local State’ file, triggering a Windows Security Event 4663.
The malware extracts the encrypted master key from the ‘Local State’ file.
The malware decrypts the master key using attacker-controlled methods.
The decrypted master key is used to decrypt saved passwords stored by Chrome.
The stolen credentials are exfiltrated to the attacker’s command and control server.

Impact

Successful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.

Recommendation

Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to ensure Windows Security Event 4663 is generated for file access, as described in the “how_to_implement” section.
Deploy the Sigma rule “Detect Chrome Local State File Access by Non-Chrome Processes” to your SIEM to detect unauthorized access attempts (see “rules” section). Tune the rule’s filter list to reduce false positives related to legitimate software uninstallers.
Investigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the ‘Local State’ file, as described in the rule’s description.
Consider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.

Non-Chrome Process Accessing Chrome Login Data

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting unauthorized access to Chrome’s “Login Data” file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The “Login Data” file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.

Attack Chain

The attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
The attacker executes a malicious executable or script on the compromised system.
The malicious process attempts to access the Chrome “Login Data” file, typically located at *\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.
Windows Security Event Log generates an event with EventCode 4663, recording the file access attempt.
The attacker’s process reads the “Login Data” SQLite database.
The attacker extracts and potentially decrypts stored usernames and passwords from the “Login Data” file.
The attacker uses the stolen credentials for lateral movement within the network.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Compromised Chrome “Login Data” files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user’s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.

Recommendation

Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to generate Windows Security Event 4663, as described in the “how_to_implement” section.
Deploy the Sigma rule Chrome Login Data Accessed by Non-Browser Process to your SIEM and tune the process_path filter to exclude legitimate software in your environment.
Investigate any alerts generated by the Chrome Login Data Accessed by Non-Browser Process Sigma rule to determine if credential theft has occurred and remediate any affected accounts.

Password-Stealing — CraftedSignal Threat Feed

Unauthorized Access to Chrome Local State File

Attack Chain

Impact

Recommendation

Non-Chrome Process Accessing Chrome Login Data

Attack Chain

Impact

Recommendation