LoFP / other browser not listed related to firefox may catch by this rule.

Techniques

• T1555
• T1555.003

Sample rules

Non Firefox Process Access Firefox Profile Dir

• source: splunk
• technicques:
  • T1555
  • T1555.003

Description

This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added sqlite db browser and explorer.exe to make this detection more stable.

Detection logic

`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" 
| stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `non_firefox_process_access_firefox_profile_dir_filter`

Non Chrome Process Accessing Chrome Default Dir

• source: splunk
• technicques:
  • T1555
  • T1555.003

Description

This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable.

Detection logic

`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" 
| stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `non_chrome_process_accessing_chrome_default_dir_filter`