| ID | Technique | Tactic |
|---|---|---|
| T1012 | Query Registry | Discovery |
Detection: Windows Credentials from Password Stores Chrome LocalState Access
Description
The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
Search
1`wineventlog_security`
2EventCode=4663
3object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State"
4NOT process_path IN (
5 "*:\\Windows\\explorer.exe",
6 "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe",
7 "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe",
8 "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe",
9 "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe",
10 "*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
11 "*\\platform_experience_helper.exe*",
12 "*:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe*"
13)
14
15| stats count min(_time) as firstTime
16 max(_time) as lastTime
17
18 by object_file_name object_file_path
19 process_name process_path
20 process_id EventCode dest
21
22
23| `security_content_ctime(firstTime)`
24
25| `security_content_ctime(lastTime)`
26
27| `windows_credentials_from_password_stores_chrome_localstate_access_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 | 'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| wineventlog_security | eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security" |
| windows_credentials_from_password_stores_chrome_localstate_access_filter | search * |
windows_credentials_from_password_stores_chrome_localstate_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
Known False Positives
The chrome uninstaller will access these set of files and folders. Filter as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A non-chrome process $process_name$ accessing "Chrome\User Data\Local State" file on $dest$ | dest | system | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 23