Suspicious File Access to Browser Credential Storage

Rule Info

Name
Suspicious File Access to Browser Credential Storage
Author
frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
Description
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Reference
https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
Date
2025-05-22 00:00:00
Modified
None
Id
a1dfd976-4852-41d4-9507-dc6590a3ccd0
Tags
attack.credential-access attack.t1555.003 attack.discovery attack.t1217
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a1dfd976-4852-41d4-9507-dc6590a3ccd0

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
2025-05-26
585bd7d48
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022