Techniques
Sample rules
File Access Of Signal Desktop Sensitive Data
- source: sigma
- technicques:
- t1003
Description
Detects access to Signal Desktop’s sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_signal:
ProcessName|endswith:
- \signal-portable.exe
- \signal.exe
selection:
EventID: 4663
ObjectName|contains: \AppData\Roaming\Signal\
ObjectName|endswith:
- \config.json
- \db.sqlite
ObjectType: File