Potential Browser Data Stealing
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (COMMANDLINE contains "copy-item,copy ,cpi , cp ,move ,move-item, mi , mv " OR PROCESSNAME endswith "\esentutl.exe,\xcopy.exe,\robocopy.exe" OR ORIGINALFILENAME = "esentutl.exe,XCOPY.EXE,robocopy.exe") AND COMMANDLINE contains "\Amigo\User Data,\BraveSoftware\Brave-Browser\User Data,\CentBrowser\User Data,\Chromium\User Data,\CocCoc\Browser\User Data,\Comodo\Dragon\User Data,\Elements Browser\User Data,\Epic Privacy Browser\User Data,\Google\Chrome Beta\User Data,\Google\Chrome SxS\User Data,\Google\Chrome\User Data\,\Kometa\User Data,\Maxthon5\Users,\Microsoft\Edge\User Data,\Mozilla\Firefox\Profiles,\Nichrome\User Data,\Opera Software\Opera GX Stable\,\Opera Software\Opera Neon\User Data,\Opera Software\Opera Stable\,\Orbitum\User Data,\QIP Surf\User Data,\Sputnik\User Data,\Torch\User Data,\uCozMedia\Uran\User Data,\Vivaldi\User Data" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems)
