{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/redline-stealer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome"],"_cs_severities":["high"],"_cs_tags":["credential-access","malware","redline-stealer","windows"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious activity where non-Chrome processes access the \u0026quot;Local State\u0026quot; file. This file stores Chrome's critical settings, including the encrypted master key. Attackers can steal this key to decrypt stored passwords. This activity is detected using Windows Security Event logs (Event ID 4663), focusing on unauthorized file access. The detection is designed to identify suspicious processes accessing the Local State file, excluding legitimate Chrome and Explorer processes. Successful exploitation can lead to credential theft and further compromise of the system. The analytic was last updated March 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain necessary access rights if required.\u003c/li\u003e\n\u003cli\u003eMalware Deployment: The attacker deploys malware, such as a stealer (e.g., Redline Stealer), to the compromised system.\u003c/li\u003e\n\u003cli\u003eLocal State Access: The malware attempts to access the Chrome \u0026quot;Local State\u0026quot; file located at \u0026quot;*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\u0026quot;.\u003c/li\u003e\n\u003cli\u003eMaster Key Extraction: The malware extracts the encrypted master key from the \u0026quot;Local State\u0026quot; file.\u003c/li\u003e\n\u003cli\u003ePassword Decryption: The attacker uses the extracted master key to decrypt saved passwords stored by Chrome.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker harvests the decrypted credentials, including usernames and passwords.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Data Exfiltration: The attacker uses the stolen credentials to move laterally within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal credentials stored in Chrome. This can lead to unauthorized access to sensitive accounts, systems, and data. The references indicate this technique is used by malware families such as Redline Stealer, and many other stealers and RATs, demonstrating its widespread use. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026quot;Audit Object Access\u0026quot; in Group Policy and configure auditing for both \u0026quot;Success\u0026quot; and \u0026quot;Failure\u0026quot; events to capture the necessary Windows Security Event logs (EventCode 4663) for effective detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized access to the Chrome Local State file and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process accessing the Local State file (\u003ccode\u003eprocess_name\u003c/code\u003e, \u003ccode\u003eprocess_path\u003c/code\u003e) and the user context in which the access occurred.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-chrome-localstate-access/","summary":"This analytic detects non-Chrome processes accessing the Chrome Local State file, which can lead to the extraction of the master key used for decrypting saved Chrome passwords.","title":"Suspicious Access to Chrome Local State File","url":"https://feed.craftedsignal.io/briefs/2024-01-09-chrome-localstate-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Redline-Stealer","version":"https://jsonfeed.org/version/1.1"}