Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X.

Hunt Hypothesis

An adversary may attempt to exfiltrate sensitive user data such as passwords and credit card information by decrypting stored credentials in Google Chrome or Chromium browsers on macOS systems. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts and mitigate the risk of credential misuse in their Azure Sentinel environment.

YARA Rule

rule hacktool_macos_manwhoami_osxchromedecrypt
{
    meta:
        description = "Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X."
        reference = "https://github.com/manwhoami/OSXChromeDecrypt"
        author = "@mimeframe"
        id = "1cae37d5-2995-55f6-b821-d89334f11b9a"
    strings:
        $a1 = "Credit Cards for Chrome Profile" wide ascii
        $a2 = "Passwords for Chrome Profile" wide ascii
        $a3 = "Unknown Card Issuer" wide ascii
        $a4 = "ERROR getting Chrome Safe Storage Key" wide ascii
        $b1 = "select name_on_card, card_number_encrypted, expiration_month, expiration_year from credit_cards" wide ascii
        $b2 = "select username_value, password_value, origin_url, submit_element from logins" wide ascii
    condition:
        3 of ($a*) or all of ($b*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://github.com/manwhoami/OSXChromeDecrypt
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using chrome CLI Tools
  Description: A system administrator uses the chrome CLI tools (e.g., chrome --help, chrome --version) during routine maintenance.
  Filter/Exclusion: Exclude processes initiated by the root user or those running from /usr/bin or /opt directories.

• Scenario: Scheduled Job for Password Syncing with Google Account
  Description: A scheduled job (e.g., via cron or launchd) runs a script that syncs passwords with a Google account using Chrome’s sync functionality.
  Filter/Exclusion: Exclude processes with command lines containing --password-store or --sync flags.

• Scenario: Security Audit Tool Decrypting Stored Credentials
  Description: A security tool (e.g., OSXKeychainInspector, KeychainAccess) is used by an admin to inspect and decrypt stored Chrome credentials for audit purposes.
  Filter/Exclusion: Exclude processes with executable paths containing KeychainAccess, OSXKeychainInspector, or similar security tools.

• Scenario: Automated Backup Script Accessing Chrome Data
  Description: A backup script (e.g., rsync, backup.sh) accesses Chrome’s profile directory (~/Library/Application Support/Google/Chrome) to back up user data.
  Filter/Exclusion: Exclude processes with command lines containing rsync, tar, or cp and targeting known Chrome profile directories.

• Scenario: User-Initiated Password Export via Chrome UI
  Description: A user exports passwords via the Chrome UI (e.g., chrome://settings/passwords), which may trigger decryption logic.
  Filter/Exclusion: Exclude processes with command lines containing chrome://settings/passwords or chrome://settings/credentials.