<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Redline-Stealer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/redline-stealer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/redline-stealer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Access to Chrome Local State File</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-chrome-localstate-access/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-chrome-localstate-access/</guid><description>This analytic detects non-Chrome processes accessing the Chrome Local State file, which can lead to the extraction of the master key used for decrypting saved Chrome passwords.</description><content:encoded><![CDATA[<p>This detection identifies potentially malicious activity where non-Chrome processes access the &quot;Local State&quot; file. This file stores Chrome's critical settings, including the encrypted master key. Attackers can steal this key to decrypt stored passwords. This activity is detected using Windows Security Event logs (Event ID 4663), focusing on unauthorized file access. The detection is designed to identify suspicious processes accessing the Local State file, excluding legitimate Chrome and Explorer processes. Successful exploitation can lead to credential theft and further compromise of the system. The analytic was last updated March 10, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to the system through various means (e.g., phishing, exploit).</li>
<li>Privilege Escalation: The attacker escalates privileges to gain necessary access rights if required.</li>
<li>Malware Deployment: The attacker deploys malware, such as a stealer (e.g., Redline Stealer), to the compromised system.</li>
<li>Local State Access: The malware attempts to access the Chrome &quot;Local State&quot; file located at &quot;*\AppData\Local\Google\Chrome\User Data\Local State&quot;.</li>
<li>Master Key Extraction: The malware extracts the encrypted master key from the &quot;Local State&quot; file.</li>
<li>Password Decryption: The attacker uses the extracted master key to decrypt saved passwords stored by Chrome.</li>
<li>Credential Harvesting: The attacker harvests the decrypted credentials, including usernames and passwords.</li>
<li>Lateral Movement/Data Exfiltration: The attacker uses the stolen credentials to move laterally within the network or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to steal credentials stored in Chrome. This can lead to unauthorized access to sensitive accounts, systems, and data. The references indicate this technique is used by malware families such as Redline Stealer, and many other stealers and RATs, demonstrating its widespread use. The impact includes potential data breaches, financial loss, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable &quot;Audit Object Access&quot; in Group Policy and configure auditing for both &quot;Success&quot; and &quot;Failure&quot; events to capture the necessary Windows Security Event logs (EventCode 4663) for effective detection.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect unauthorized access to the Chrome Local State file and tune it based on your environment.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the process accessing the Local State file (<code>process_name</code>, <code>process_path</code>) and the user context in which the access occurred.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>malware</category><category>redline-stealer</category><category>windows</category></item></channel></rss>