Steal Firefox credential

Hunt Hypothesis

The hypothesis is that an adversary is attempting to exfiltrate Firefox browser credentials from a victim’s system to gain access to sensitive user accounts. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities early and prevent further lateral movement or data exfiltration.

YARA Rule

rule cred_ff {
    meta:
        author = "x0r"
        description = "Steal Firefox credential"
	version = "0.1"
    strings:
        $f1 = "signons.sqlite"
        $f2 = "signons3.txt"
        $f3 = "secmod.db"
        $f4 = "cert8.db"
        $f5 = "key3.db"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Firefox Credential Export for Compliance
  Description: A system administrator runs a scheduled job to export Firefox credentials for audit purposes using the firefox command-line tool with the --export flag.
  Filter/Exclusion: Exclude processes initiated by the system account (root or system) or those matching the scheduled task name (e.g., export_firefox_credentials.sh).

• Scenario: Automated Password Reset Tool Using Firefox
  Description: An internal password reset tool (e.g., PasswordManagerPro) uses Firefox to fill in credentials during automated user account resets.
  Filter/Exclusion: Exclude processes associated with the password reset tool (e.g., PasswordManagerPro) or those running under a service account.

• Scenario: Admin Task to Clear Cached Credentials
  Description: An admin uses the clearcache Firefox command to remove cached credentials during routine maintenance.
  Filter/Exclusion: Exclude processes with the command line containing clearcache or executed by an admin user with elevated privileges.

• Scenario: Firefox Extension for Credential Management
  Description: A legitimate Firefox extension (e.g., 1Password, Bitwarden) stores and manages credentials, which may trigger credential extraction logic.
  Filter/Exclusion: Exclude processes related to known credential managers or extensions (e.g., 1Password, bitwarden) or those running in a trusted extension context.

• Scenario: Firefox Used for Single Sign-On (SSO) Integration
  Description: Firefox is used to access an SSO portal (e.g., Okta, Azure AD) where credentials are stored in the browser for seamless login.
  Filter/Exclusion: Exclude processes initiated from known SSO portals or those with URLs matching SSO domains (e.g., *.okta.com, *.azure.com).