Adversaries may attempt to access browser credential storage paths to exfiltrate stored credentials, leveraging T1555.003 and T1217 techniques to compromise user accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft attempts early and mitigate lateral movement risks.
Detection Rule
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
This behavior is often commonly observed in credential stealing malware.
references:
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1555.003
- attack.discovery
- attack.t1217
logsource:
category: file_access
product: windows
detection:
selection_browser_paths:
FileName|contains:
- '\Sputnik\Sputnik'
- '\MapleStudio\ChromePlus'
- '\QIP Surf'
- '\BlackHawk'
- '\7Star\7Star'
- '\CatalinaGroup\Citrio'
- '\Google\Chrome'
- '\Coowon\Coowon'
- '\CocCoc\Browser'
- '\uCozMedia\Uran'
- '\Tencent\QQBrowser'
- '\Orbitum'
- '\Slimjet'
- '\Iridium'
- '\Vivaldi'
- '\Chromium'
- '\GhostBrowser'
- '\CentBrowser'
- '\Xvast'
- '\Chedot'
- '\SuperBird'
- '\360Browser\Browser'
- '\360Chrome\Chrome'
- '\Comodo\Dragon'
- '\BraveSoftware\Brave-Browser'
- '\Torch'
- '\UCBrowser\'
- '\Blisk'
- '\Epic Privacy Browser'
- '\Nichrome'
- '\Amigo'
- '\Kometa'
- '\Xpom'
- '\Microsoft\Edge'
- '\Liebao7Default\EncryptedStorage'
- '\AVAST Software\Browser'
- '\Kinza'
- '\Mozilla\SeaMonkey\'
- '\Comodo\IceDragon\'
- '\8pecxstudios\Cyberfox\'
- '\FlashPeak\SlimBrowser\'
- '\Moonchild Productions\Pale Moon\'
selection_browser_subpaths:
FileName|contains:
- '\Profiles\'
- '\User Data'
selection_cred_files:
- FileName|contains:
- '\Login Data'
- '\Cookies'
- '\EncryptedStorage'
- '\WebCache\'
- FileName|endswith:
- 'cert9.db'
- 'cookies.sqlite'
- 'formhistory.sqlite'
- 'key3.db'
- 'key4.db'
- 'Login Data.sqlite'
- 'logins.json'
- 'places.sqlite'
filter_main_img:
Image|endswith:
- '\Sputnik.exe'
- '\ChromePlus.exe'
- '\QIP Surf.exe'
- '\BlackHawk.exe'
- '\7Star.exe'
- '\Sleipnir5.exe'
- '\Citrio.exe'
- '\Chrome SxS.exe'
- '\Chrome.exe'
- '\Coowon.exe'
- '\CocCocBrowser.exe'
- '\Uran.exe'
- '\QQBrowser.exe'
- '\Orbitum.exe'
- '\Slimjet.exe'
- '\Iridium.exe'
- '\Vivaldi.exe'
- '\Chromium.exe'
- '\GhostBrowser.exe'
- '\CentBrowser.exe'
- '\Xvast.exe'
- '\Chedot.exe'
- '\SuperBird.exe'
- '\360Browser.exe'
- '\360Chrome.exe'
- '\dragon.exe'
- '\brave.exe'
- '\torch.exe'
- '\UCBrowser.exe'
- '\BliskBrowser.exe'
- '\Epic Privacy Browser.exe'
- '\nichrome.exe'
- '\AmigoBrowser.exe'
- '\KometaBrowser.exe'
- '\XpomBrowser.exe'
- '\msedge.exe'
- '\LiebaoBrowser.exe'
- '\AvastBrowser.exe'
- '\Kinza.exe'
- '\seamonkey.exe'
- '\icedragon.exe'
- '\cyberfox.exe'
- '\SlimBrowser.exe'
- '\palemoon.exe'
filter_main_path:
Image|contains:
- '\Sputnik\'
- '\MapleStudio\'
- '\QIP Surf\'
- '\BlackHawk\'
- '\7Star\'
- '\Fenrir Inc\'
- '\CatalinaGroup\'
- '\Google\'
- '\Coowon\'
- '\CocCoc\'
- '\uCozMedia\'
- '\Tencent\'
- '\Orbitum\'
- '\Slimjet\'
- '\Iridium\'
- '\Vivaldi\'
- '\Chromium\'
- '\GhostBrowser\'
- '\CentBrowser\'
- '\Xvast\'
- '\Chedot\'
- '\SuperBird\'
- '\360Browser\'
- '\360Chrome\'
- '\Comodo\'
- '\BraveSoftware\'
- '\Torch\'
- '\UCBrowser\'
- '\Blisk\'
- '\Epic Privacy Browser\'
- '\Nichrome\'
- '\Amigo\'
- '\Kometa\'
- '\Xpom\'
- '\Microsoft\'
- '\Liebao7\'
- '\AVAST Software\'
- '\Kinza\'
- '\Mozilla\'
- '\8pecxstudios\'
- '\FlashPeak\'
- '\Moonchild Productions\'
filter_main_system:
Image: System
ParentImage: Idle
filter_main_generic:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|contains: '\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_msiexec:
ParentImage: 'C:\Windows\System32\msiexec.exe'
filter_optional_other:
Image|endswith: '\everything.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Legitimate software accessing browser data for synchronization or backup purposes.
- Legitimate software installed on partitions other than "C:\"
level: low
imFileEvent
| where ((FileName contains "\\Sputnik\\Sputnik" or FileName contains "\\MapleStudio\\ChromePlus" or FileName contains "\\QIP Surf" or FileName contains "\\BlackHawk" or FileName contains "\\7Star\\7Star" or FileName contains "\\CatalinaGroup\\Citrio" or FileName contains "\\Google\\Chrome" or FileName contains "\\Coowon\\Coowon" or FileName contains "\\CocCoc\\Browser" or FileName contains "\\uCozMedia\\Uran" or FileName contains "\\Tencent\\QQBrowser" or FileName contains "\\Orbitum" or FileName contains "\\Slimjet" or FileName contains "\\Iridium" or FileName contains "\\Vivaldi" or FileName contains "\\Chromium" or FileName contains "\\GhostBrowser" or FileName contains "\\CentBrowser" or FileName contains "\\Xvast" or FileName contains "\\Chedot" or FileName contains "\\SuperBird" or FileName contains "\\360Browser\\Browser" or FileName contains "\\360Chrome\\Chrome" or FileName contains "\\Comodo\\Dragon" or FileName contains "\\BraveSoftware\\Brave-Browser" or FileName contains "\\Torch" or FileName contains "\\UCBrowser\\" or FileName contains "\\Blisk" or FileName contains "\\Epic Privacy Browser" or FileName contains "\\Nichrome" or FileName contains "\\Amigo" or FileName contains "\\Kometa" or FileName contains "\\Xpom" or FileName contains "\\Microsoft\\Edge" or FileName contains "\\Liebao7Default\\EncryptedStorage" or FileName contains "\\AVAST Software\\Browser" or FileName contains "\\Kinza" or FileName contains "\\Mozilla\\SeaMonkey\\" or FileName contains "\\Comodo\\IceDragon\\" or FileName contains "\\8pecxstudios\\Cyberfox\\" or FileName contains "\\FlashPeak\\SlimBrowser\\" or FileName contains "\\Moonchild Productions\\Pale Moon\\") and (FileName contains "\\Profiles\\" or FileName contains "\\User Data") and ((FileName contains "\\Login Data" or FileName contains "\\Cookies" or FileName contains "\\EncryptedStorage" or FileName contains "\\WebCache\\") or (FileName endswith "cert9.db" or FileName endswith "cookies.sqlite" or FileName endswith "formhistory.sqlite" or FileName endswith "key3.db" or FileName endswith "key4.db" or FileName endswith "Login Data.sqlite" or FileName endswith "logins.json" or FileName endswith "places.sqlite"))) and (not(((TargetFilePath endswith "\\Sputnik.exe" or TargetFilePath endswith "\\ChromePlus.exe" or TargetFilePath endswith "\\QIP Surf.exe" or TargetFilePath endswith "\\BlackHawk.exe" or TargetFilePath endswith "\\7Star.exe" or TargetFilePath endswith "\\Sleipnir5.exe" or TargetFilePath endswith "\\Citrio.exe" or TargetFilePath endswith "\\Chrome SxS.exe" or TargetFilePath endswith "\\Chrome.exe" or TargetFilePath endswith "\\Coowon.exe" or TargetFilePath endswith "\\CocCocBrowser.exe" or TargetFilePath endswith "\\Uran.exe" or TargetFilePath endswith "\\QQBrowser.exe" or TargetFilePath endswith "\\Orbitum.exe" or TargetFilePath endswith "\\Slimjet.exe" or TargetFilePath endswith "\\Iridium.exe" or TargetFilePath endswith "\\Vivaldi.exe" or TargetFilePath endswith "\\Chromium.exe" or TargetFilePath endswith "\\GhostBrowser.exe" or TargetFilePath endswith "\\CentBrowser.exe" or TargetFilePath endswith "\\Xvast.exe" or TargetFilePath endswith "\\Chedot.exe" or TargetFilePath endswith "\\SuperBird.exe" or TargetFilePath endswith "\\360Browser.exe" or TargetFilePath endswith "\\360Chrome.exe" or TargetFilePath endswith "\\dragon.exe" or TargetFilePath endswith "\\brave.exe" or TargetFilePath endswith "\\torch.exe" or TargetFilePath endswith "\\UCBrowser.exe" or TargetFilePath endswith "\\BliskBrowser.exe" or TargetFilePath endswith "\\Epic Privacy Browser.exe" or TargetFilePath endswith "\\nichrome.exe" or TargetFilePath endswith "\\AmigoBrowser.exe" or TargetFilePath endswith "\\KometaBrowser.exe" or TargetFilePath endswith "\\XpomBrowser.exe" or TargetFilePath endswith "\\msedge.exe" or TargetFilePath endswith "\\LiebaoBrowser.exe" or TargetFilePath endswith "\\AvastBrowser.exe" or TargetFilePath endswith "\\Kinza.exe" or TargetFilePath endswith "\\seamonkey.exe" or TargetFilePath endswith "\\icedragon.exe" or TargetFilePath endswith "\\cyberfox.exe" or TargetFilePath endswith "\\SlimBrowser.exe" or TargetFilePath endswith "\\palemoon.exe") or (TargetFilePath contains "\\Sputnik\\" or TargetFilePath contains "\\MapleStudio\\" or TargetFilePath contains "\\QIP Surf\\" or TargetFilePath contains "\\BlackHawk\\" or TargetFilePath contains "\\7Star\\" or TargetFilePath contains "\\Fenrir Inc\\" or TargetFilePath contains "\\CatalinaGroup\\" or TargetFilePath contains "\\Google\\" or TargetFilePath contains "\\Coowon\\" or TargetFilePath contains "\\CocCoc\\" or TargetFilePath contains "\\uCozMedia\\" or TargetFilePath contains "\\Tencent\\" or TargetFilePath contains "\\Orbitum\\" or TargetFilePath contains "\\Slimjet\\" or TargetFilePath contains "\\Iridium\\" or TargetFilePath contains "\\Vivaldi\\" or TargetFilePath contains "\\Chromium\\" or TargetFilePath contains "\\GhostBrowser\\" or TargetFilePath contains "\\CentBrowser\\" or TargetFilePath contains "\\Xvast\\" or TargetFilePath contains "\\Chedot\\" or TargetFilePath contains "\\SuperBird\\" or TargetFilePath contains "\\360Browser\\" or TargetFilePath contains "\\360Chrome\\" or TargetFilePath contains "\\Comodo\\" or TargetFilePath contains "\\BraveSoftware\\" or TargetFilePath contains "\\Torch\\" or TargetFilePath contains "\\UCBrowser\\" or TargetFilePath contains "\\Blisk\\" or TargetFilePath contains "\\Epic Privacy Browser\\" or TargetFilePath contains "\\Nichrome\\" or TargetFilePath contains "\\Amigo\\" or TargetFilePath contains "\\Kometa\\" or TargetFilePath contains "\\Xpom\\" or TargetFilePath contains "\\Microsoft\\" or TargetFilePath contains "\\Liebao7\\" or TargetFilePath contains "\\AVAST Software\\" or TargetFilePath contains "\\Kinza\\" or TargetFilePath contains "\\Mozilla\\" or TargetFilePath contains "\\8pecxstudios\\" or TargetFilePath contains "\\FlashPeak\\" or TargetFilePath contains "\\Moonchild Productions\\") or (TargetFilePath =~ "System" and ActingProcessName =~ "Idle") or (TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Windows\\System32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((TargetFilePath contains "\\Microsoft\\Windows Defender\\" and (TargetFilePath endswith "\\MpCopyAccelerator.exe" or TargetFilePath endswith "\\MsMpEng.exe")) or (TargetFilePath endswith "\\thor.exe" or TargetFilePath endswith "\\thor64.exe") or ActingProcessName =~ "C:\\Windows\\System32\\msiexec.exe" or TargetFilePath endswith "\\everything.exe")))Scenario: System Maintenance Tool Scanning for Malware
Description: A legitimate system maintenance tool (e.g., Windows Defender or Microsoft Security Essentials) may scan browser credential storage paths during a full system scan.
Filter/Exclusion: Exclude processes associated with known antivirus or endpoint protection tools (e.g., MsMpEng.exe, MsCtfMonitor.exe, MpcSvc.exe).
Scenario: Scheduled Job for Credential Backup
Description: An enterprise may have a scheduled job (e.g., using Task Scheduler or cron) that backs up browser credentials for audit or compliance purposes.
Filter/Exclusion: Exclude processes with known enterprise backup tools (e.g., wbemcons.exe, vssvc.exe, or custom scripts with known backup signatures).
Scenario: Admin Task to Clear Browser Cache
Description: An administrator may manually or via script clear browser cache and credentials, which could trigger access to credential storage paths.
Filter/Exclusion: Exclude processes associated with administrative tasks (e.g., cmd.exe, powershell.exe, or scripts with known admin task signatures).
Scenario: Third-Party Application Accessing Browser Data
Description: A legitimate third-party application (e.g., password manager or browser extension) may access browser credential storage for integration or synchronization.
Filter/Exclusion: Exclude processes from trusted third-party applications (e.g., keepass.exe, bitwarden.exe, or known extensions with signed manifests).
Scenario: User-Initiated File System Scan
Description: A user may manually scan the file system for troubleshooting, which could include accessing browser credential storage paths.
Filter/Exclusion: Exclude user-initiated processes (e.g., explorer.exe, file explorer, or cmd.exe with known user activity patterns).