Windows Credential Access From Browser Password Store

Status: production
Severity: low
Group by: _time, dest, isAllowed, object_file_name, process_id, process_name, signature_id, target_filename
Author: Teoderick Contreras, Bhavin Patel Splunk
Source: github.com/splunk/security_content

The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file browser_app_list that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1012` Query Registry

Event coverage

Provider	Event	Title
Security-Auditing	Event ID 4663	An attempt was made to access an object.

Rule body splunk

name: Windows Credential Access From Browser Password Store
id: 72013a8e-5cea-408a-9d51-5585386b4d69
version: 21
creation_date: '2024-03-20'
modification_date: '2026-05-13'
author: Teoderick Contreras, Bhavin Patel Splunk
status: production
type: Anomaly
description: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
data_source:
    - Windows Event Log Security 4663
search: '`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path)  values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?<extracted_process_name>[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`'
how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file.
known_false_positives: The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.
references:
    - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
    - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A non-common browser process $process_name$ accessing browser user data folder on $dest$
analytic_story:
    - StealC Stealer
    - Salt Typhoon
    - Earth Alux
    - Quasar RAT
    - PXA Stealer
    - SnappyBee
    - Malicious Inno Setup Loader
    - Braodo Stealer
    - MoonPeak
    - Snake Keylogger
    - China-Nexus Threat Activity
    - Meduza Stealer
    - Scattered Spider
    - 0bj3ctivity Stealer
    - Scattered Lapsus$ Hunters
    - BlankGrabber Stealer
    - VIP Keylogger
asset_type: Endpoint
mitre_attack_id:
    - T1012
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: `search`

`wineventlog_security` EventCode=4663

Stage 2: `stats`

| stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode

Stage 3: `lookup`

| lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed

Lookup table: browser_app_list
Key field: browser_object_path as object_file_path
Output columns: ['browser_process_name', 'browser_process_name'], ['isAllowed', 'isAllowed']

Stage 4: `stats`

| stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path)  values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed

Stage 5: `rex`

| rex field=process_name "(?<extracted_process_name>[^\\\\]+)$"

Stage 6: `eval`

| eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1")

isMalicious =

ifmatch(browser_process_name, extracted_process_name)"0"

else"1"

Stage 7: `where`

| where isMalicious=1 and isAllowed="false"

Stage 8: `search`

| `security_content_ctime(firstTime)`

Stage 9: `search`

| `security_content_ctime(lastTime)`

Stage 10: `search`

| `windows_credential_access_from_browser_password_store_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4663` corpus 34 (splunk 29, kusto 5)
`isAllowed`	eq	`"false"`
`isMalicious`	eq	`1`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Windows Credential Access From Browser Password Store

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `stats`

Stage 3: `lookup`

Stage 4: `stats`

Stage 5: `rex`

Stage 6: `eval`

Stage 7: `where`

Stage 8: `search`

Stage 9: `search`

Stage 10: `search`

Indicators

Keyboard shortcuts

Search operators

Windows Credential Access From Browser Password Store

MITRE ATT&CK coverage

Event coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: lookup

Stage 4: stats

Stage 5: rex

Stage 6: eval

Stage 7: where

Stage 8: search

Stage 9: search

Stage 10: search

Indicators

Stage 1: `search`

Stage 2: `stats`

Stage 3: `lookup`

Stage 4: `stats`

Stage 5: `rex`

Stage 6: `eval`

Stage 7: `where`

Stage 8: `search`

Stage 9: `search`

Stage 10: `search`