| ID | Technique | Tactic |
|---|---|---|
| T1012 | Query Registry | Discovery |
Detection: Windows Credentials from Password Stores Chrome Extension Access
Description
The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
Search
1`wineventlog_security`
2EventCode=4663
3object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*"
4NOT process_path IN (
5 "*:\\Windows\\explorer.exe",
6 "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe",
7 "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe",
8 "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe",
9 "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe",
10 "*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"
11)
12
13| stats count min(_time) as firstTime
14 max(_time) as lastTime
15
16 by object_file_name object_file_path
17 process_name process_path
18 process_id EventCode dest
19
20
21| `security_content_ctime(firstTime)`
22
23| `security_content_ctime(lastTime)`
24
25| `windows_credentials_from_password_stores_chrome_extension_access_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 | 'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_credentials_from_password_stores_chrome_extension_access_filter | search * |
windows_credentials_from_password_stores_chrome_extension_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
Known False Positives
The chrome uninstaller will access these set of files and folders. Filter as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ | dest | system | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 13