LoFP / the lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.

Techniques

• T1012

Sample rules

Windows Credential Access From Browser Password Store

• source: splunk
• technicques:
  • T1012

Description

The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file browser_app_list that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.

Detection logic

`wineventlog_security` EventCode=4663 
| lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed 
| stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path)  values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed 
| rex field=process_name "(?<extracted_process_name>[^\\\\]+)$" 
| eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") 
| where isMalicious=1 and isAllowed="false" 
| `windows_credential_access_from_browser_password_store_filter`