
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
Splunk Security Content
View SourceSummary
This analytic rule detects the potentially malicious copying of Google Chrome's user credential files, specifically the "Local State" and "Login Data" files, into temporary directories on a system. Such behavior is often associated with malware like Braodo stealer, which targets stored browser credentials for theft. The detection works by monitoring Sysmon Event ID 11 for any instances where these Chrome files are copied to paths that include the "temp" directory. By doing so, security teams can identify suspicious file activity that may indicate an ongoing attack, enabling them to take proactive measures to prevent unauthorized access to sensitive credentials, thus enhancing the security posture of the environment.
Categories
- Endpoint
- Windows
Data Sources
- Pod
- Process
- File
ATT&CK Techniques
- T1555.003
- T1555
Created: 2024-11-13