Adversaries may access Signal Desktop’s sensitive data files, such as db.sqlite and config.json, to exfiltrate encrypted messages and configuration details. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or reconnaissance activities targeting encrypted communication channels.
Detection Rule
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
service: security
definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectName|endswith:
- '\config.json'
- '\db.sqlite'
filter_main_signal:
ProcessName|endswith:
- '\signal-portable.exe'
- '\signal.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but possible from AV or backup software accessing the files.
level: medium
imRegistry
| where (RegistryKey endswith "\\AppData\\Roaming\\Signal*" and (RegistryKey endswith "\\config.json" or RegistryKey endswith "\\db.sqlite")) and (not((ActingProcessName endswith "\\signal-portable.exe" or ActingProcessName endswith "\\signal.exe")))Scenario: Database Backup Process
Description: A scheduled backup job runs and accesses db.sqlite to create a backup of Signal Desktop data.
Filter/Exclusion: Exclude file access events where the process name is backup_tool.exe or db_backup_scheduler.exe.
Scenario: System Administration Task
Description: An admin uses a tool like Process Explorer or Handle to inspect open handles to db.sqlite for troubleshooting.
Filter/Exclusion: Exclude file access events where the user is a domain admin or the process is Process Explorer.exe or Handle.exe.
Scenario: Log Analysis Tool Access
Description: A log analysis tool like ELK Stack or Splunk accesses db.sqlite to parse logs or extract metadata.
Filter/Exclusion: Exclude file access events where the process name is splunkd.exe, logstash.exe, or elasticsearch.exe.
Scenario: Configuration Management Task
Description: A configuration management tool like Ansible or Chef modifies config.json during a deployment or configuration update.
Filter/Exclusion: Exclude file access events where the process name is ansible.exe, chef-client.exe, or puppet.exe.
Scenario: User-Initiated File Inspection
Description: A user manually opens config.json using a text editor like Notepad++ or VS Code to review settings.
Filter/Exclusion: Exclude file access events where the process name is notepad++.exe, code.exe, or vim.exe.