Techniques
Sample rules
Windows Credentials from Password Stores Chrome Extension Access
- source: splunk
- technicques:
Description
The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
Detection logic
`wineventlog_security`
EventCode=4663
object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*"
NOT process_path IN (
"*:\\Windows\\explorer.exe",
"*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
by object_file_name object_file_path
process_name process_path
process_id EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_credentials_from_password_stores_chrome_extension_access_filter`
Windows Credentials from Password Stores Chrome LocalState Access
- source: splunk
- technicques:
Description
The following analytic detects non-Chrome processes accessing the Chrome “Local State” file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
Detection logic
`wineventlog_security`
EventCode=4663
object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State"
NOT process_path IN (
"*:\\Windows\\explorer.exe",
"*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"*\\platform_experience_helper.exe*",
"*:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe*"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
by object_file_name object_file_path
process_name process_path
process_id EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_credentials_from_password_stores_chrome_localstate_access_filter`
Windows Credentials from Password Stores Chrome Login Data Access
- source: splunk
- technicques:
Description
The following analytic identifies non-Chrome processes accessing the Chrome user data file “login data.” This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
Detection logic
`wineventlog_security`
EventCode=4663
object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
NOT process_path IN (
"*:\\Windows\\explorer.exe",
"*:\\Windows\\System32\\dllhost.exe",
"*\\AppData\\Local\\Google\\Chrome Beta\\Application\\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Dev\\Application\\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome SxS\\Application\\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\\chrome.exe",
"*\\AppData\\Local\\Google\\Chrome\\Application\\\chrome.exe"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
by object_file_name object_file_path
process_name process_path
process_id EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_credentials_from_password_stores_chrome_login_data_access_filter`