| ID | Technique | Tactic |
|---|---|---|
| T1012 | Query Registry | Discovery |
Detection: Windows Credential Access From Browser Password Store
Description
The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file browser_app_list that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
Search
1`wineventlog_security` EventCode=4663
2| stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode
3| lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed
4| stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed
5| rex field=process_name "(?<extracted_process_name>[^\\\\]+)$"
6| eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1")
7| where isMalicious=1 and isAllowed="false"
8| `security_content_ctime(firstTime)`
9| `security_content_ctime(lastTime)`
10| `windows_credential_access_from_browser_password_store_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Windows Event Log Security 4663 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Security' |
N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_credential_access_from_browser_password_store_filter | search * |
windows_credential_access_from_browser_password_store_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
APT32
APT39
APT41
Chimera
Dragonfly
Fox Kitten
Kimsuky
Lazarus Group
OilRig
Stealth Falcon
Threat Group-3390
Turla
Volt Typhoon
ZIRCONIUM
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file.
Known False Positives
The lookup file browser_app_list may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| A non-common browser process $process_name$ accessing browser user data folder on $dest$ | 25 | 50 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
-
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2