Home/Sigma rules
Sigma

Sigma detection rules

19 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

19 shown of 19
critical
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
status stable author Florian Roth (Nextron Systems) id 7679d464-4f74-45e2-9e01-ac66c5eb041a
view Sigma YAML 
title: HackTool - SecurityXploded Execution
id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
status: stable
description: Detects the execution of SecurityXploded Tools
references:
    - https://securityxploded.com/
    - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Company: SecurityXploded
        - Image|endswith: 'PasswordDump.exe'
        - OriginalFileName|endswith: 'PasswordDump.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
high
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
status test author Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) id 7892ec59-c5bb-496d-8968-e5d210ca3ac4
view Sigma YAML 
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1552.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - 'ntds_capi_'
            - 'ntds_legacy_'
            - 'ntds_unknown_'
        TargetFilename|endswith:
            - '.cer'
            - '.key'
            - '.pfx'
            - '.pvk'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id d557dc06-62e8-4468-a8e8-7984124908ce
view Sigma YAML 
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id 851fd622-b675-4d26-b803-14bc7baa517a
view Sigma YAML 
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
high
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
status test author Timon Hackenjos id 77564cc2-7382-438b-a7f6-395c2ae53b9a
view Sigma YAML 
title: Remote Thread Created In KeePass.EXE
id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
status: test
description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
references:
    - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
    - https://github.com/denandz/KeeFarce
    - https://github.com/GhostPack/KeeThief
author: Timon Hackenjos
date: 2022-04-22
modified: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1555.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith: '\KeePass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
status test author TropChaud id 24c77512-782b-448a-8950-eddb0785fc71
view Sigma YAML 
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
status test author Florian Roth (Nextron Systems) id a4694263-59a8-4608-a3a0-6f8d3a51664c
view Sigma YAML 
title: Suspicious Key Manager Access
id: a4694263-59a8-4608-a3a0-6f8d3a51664c
status: test
description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
references:
    - https://twitter.com/NinjaParanoid/status/1516442028963659777
author: Florian Roth (Nextron Systems)
date: 2022-04-21
modified: 2023-02-09
tags:
    - attack.credential-access
    - attack.t1555.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'keymgr'
            - 'KRShowKeyMgr'
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high
high
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
status test author Florian Roth (Nextron Systems) id 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
view Sigma YAML 
title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
    - attack.credential-access
    - attack.t1555
    - cve.2021-35211
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Serv-U.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
    condition: selection
falsepositives:
    - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high
medium
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
status test author Nasreddine Bencherchali (Nextron Systems) id 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
view Sigma YAML 
title: Access To Windows Credential History File By Uncommon Applications
id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
status: test
description: |
    Detects file access requests to the Windows Credential History File by an uncommon application.
    This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
references:
    - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
    - https://www.passcape.com/windows_password_recovery_dpapi_credhist
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
    - attack.credential-access
    - attack.t1555.004
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|endswith: '\Microsoft\Protect\CREDHIST'
    filter_main_system_folders:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
# Increase level after false positives filters are good enough
level: medium
medium
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
status test author Nasreddine Bencherchali (Nextron Systems) id 46612ae6-86be-4802-bc07-39b59feb1309
view Sigma YAML 
title: Access To Windows DPAPI Master Keys By Uncommon Applications
id: 46612ae6-86be-4802-bc07-39b59feb1309
status: test
description: |
    Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
    This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
references:
    - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
    - attack.credential-access
    - attack.t1555.004
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\Microsoft\Protect\S-1-5-18\' # For System32
            - '\Microsoft\Protect\S-1-5-21-' # For Users
    filter_system_folders:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
# Increase level after false positives filters are good enough
level: medium
medium
Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
status test author frack113 id fc028194-969d-4122-8abe-0470d5b8f12f
view Sigma YAML 
title: Access to Browser Login Data
id: fc028194-969d-4122-8abe-0470d5b8f12f
related:
    - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
      type: obsolete
    - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
      type: similar
status: test
description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-01-30
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - Copy-Item
            - '-Destination'
    selection_path:
        ScriptBlockText|contains:
            - '\Opera Software\Opera Stable\Login Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Microsoft\Edge\User Data\Default'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Google\Chrome\User Data\Default\Login Data For Account'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
status test author Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) id b120b587-a4c2-4b94-875d-99c9807d6955
view Sigma YAML 
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
    - https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1555.001
logsource:
    category: process_creation
    product: macos
detection:
    selection1:
        Image: '/usr/bin/security'
        CommandLine|contains:
            - 'find-certificate'
            - ' export '
    selection2:
        CommandLine|contains:
            - ' dump-keychain '
            - ' login-keychain '
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: medium
medium
Dump Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
status test author frack113 id 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
view Sigma YAML 
title: Dump Credentials from Windows Credential Manager With PowerShell
id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
status: test
description: |
    Adversaries may search for common password storage locations to obtain user credentials.
    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_kiddie:
        ScriptBlockText|contains:
            - 'Get-PasswordVaultCredentials'
            - 'Get-CredManCreds'
    selection_rename_Password:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'Windows.Security.Credentials.PasswordVault'
    selection_rename_credman:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'Microsoft.CSharp.CSharpCodeProvider'
            - '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'
            - 'Collections.ArrayList'
            - 'System.CodeDom.Compiler.CompilerParameters'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
medium
Enumerate Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
status test author frack113 id 603c6630-5225-49c1-8047-26c964553e0e
view Sigma YAML 
title: Enumerate Credentials from Windows Credential Manager With PowerShell
id: 603c6630-5225-49c1-8047-26c964553e0e
status: test
description: |
    Adversaries may search for common password storage locations to obtain user credentials.
    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - vaultcmd
            - '/listcreds:'
    selection_option:
        ScriptBlockText|contains:
            - 'Windows Credentials'
            - 'Web Credentials'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id a840e606-7c8c-4684-9bc1-eb6b6155127f
view Sigma YAML 
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
    Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
    It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1003
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userAgent: 'TruffleHog'
    condition: selection
falsepositives:
    - Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
medium
PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
status test author frack113 id d0dae994-26c6-4d2d-83b5-b3c8b79ae513
view Sigma YAML 
title: PUA - WebBrowserPassView Execution
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: test
description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-08-20
modified: 2023-02-14
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Web Browser Password Viewer'
        - Image|endswith: '\WebBrowserPassView.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
status test author Nasreddine Bencherchali (Nextron Systems) id 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
view Sigma YAML 
title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
    - id: fc028194-969d-4122-8abe-0470d5b8f12f
      type: derived
status: test
description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
    - https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        - CommandLine|contains:
              - 'copy-item'
              - 'copy '
              - 'cpi '
              - ' cp '
              - 'move '
              - 'move-item'
              - ' mi '
              - ' mv '
        - Image|endswith:
              - '\esentutl.exe' # akira ransomware
              - '\xcopy.exe'
              - '\robocopy.exe'
        - OriginalFileName:
              - 'esentutl.exe'
              - 'XCOPY.EXE'
              - 'robocopy.exe'
    selection_path:
        CommandLine|contains:
            - '\Amigo\User Data'
            - '\BraveSoftware\Brave-Browser\User Data'
            - '\CentBrowser\User Data'
            - '\Chromium\User Data'
            - '\CocCoc\Browser\User Data'
            - '\Comodo\Dragon\User Data'
            - '\Elements Browser\User Data'
            - '\Epic Privacy Browser\User Data'
            - '\Google\Chrome Beta\User Data'
            - '\Google\Chrome SxS\User Data'
            - '\Google\Chrome\User Data\'
            - '\Kometa\User Data'
            - '\Maxthon5\Users'
            - '\Microsoft\Edge\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Nichrome\User Data'
            - '\Opera Software\Opera GX Stable\'
            - '\Opera Software\Opera Neon\User Data'
            - '\Opera Software\Opera Stable\'
            - '\Orbitum\User Data'
            - '\QIP Surf\User Data'
            - '\Sputnik\User Data'
            - '\Torch\User Data'
            - '\uCozMedia\Uran\User Data'
            - '\Vivaldi\User Data'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Windows Credential Manager Access via VaultCmd
List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
status test author frack113 id 58f50261-c53b-4c88-bd12-1d71f12eda4c
view Sigma YAML 
title: Windows Credential Manager Access via VaultCmd
id: 58f50261-c53b-4c88-bd12-1d71f12eda4c
status: test
description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
author: frack113
date: 2022-04-08
modified: 2022-05-13
tags:
    - attack.credential-access
    - attack.t1555.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\VaultCmd.exe'
        - OriginalFileName: 'VAULTCMD.EXE'
    selection_cli:
        CommandLine|contains: '/listcreds:'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
low
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
status experimental author frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore id a1dfd976-4852-41d4-9507-dc6590a3ccd0
view Sigma YAML 
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
    This behavior is often commonly observed in credential stealing malware.
references:
    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1555.003
    - attack.discovery
    - attack.t1217
logsource:
    category: file_access
    product: windows
detection:
    selection_browser_paths:
        FileName|contains:
            - '\Sputnik\Sputnik'
            - '\MapleStudio\ChromePlus'
            - '\QIP Surf'
            - '\BlackHawk'
            - '\7Star\7Star'
            - '\CatalinaGroup\Citrio'
            - '\Google\Chrome'
            - '\Coowon\Coowon'
            - '\CocCoc\Browser'
            - '\uCozMedia\Uran'
            - '\Tencent\QQBrowser'
            - '\Orbitum'
            - '\Slimjet'
            - '\Iridium'
            - '\Vivaldi'
            - '\Chromium'
            - '\GhostBrowser'
            - '\CentBrowser'
            - '\Xvast'
            - '\Chedot'
            - '\SuperBird'
            - '\360Browser\Browser'
            - '\360Chrome\Chrome'
            - '\Comodo\Dragon'
            - '\BraveSoftware\Brave-Browser'
            - '\Torch'
            - '\UCBrowser\'
            - '\Blisk'
            - '\Epic Privacy Browser'
            - '\Nichrome'
            - '\Amigo'
            - '\Kometa'
            - '\Xpom'
            - '\Microsoft\Edge'
            - '\Liebao7Default\EncryptedStorage'
            - '\AVAST Software\Browser'
            - '\Kinza'
            - '\Mozilla\SeaMonkey\'
            - '\Comodo\IceDragon\'
            - '\8pecxstudios\Cyberfox\'
            - '\FlashPeak\SlimBrowser\'
            - '\Moonchild Productions\Pale Moon\'
    selection_browser_subpaths:
        FileName|contains:
            - '\Profiles\'
            - '\User Data'
    selection_cred_files:
        - FileName|contains:
              - '\Login Data'
              - '\Cookies'
              - '\EncryptedStorage'
              - '\WebCache\'
        - FileName|endswith:
              - 'cert9.db'
              - 'cookies.sqlite'
              - 'formhistory.sqlite'
              - 'key3.db'
              - 'key4.db'
              - 'Login Data.sqlite'
              - 'logins.json'
              - 'places.sqlite'
    filter_main_img:
        Image|endswith:
            - '\Sputnik.exe'
            - '\ChromePlus.exe'
            - '\QIP Surf.exe'
            - '\BlackHawk.exe'
            - '\7Star.exe'
            - '\Sleipnir5.exe'
            - '\Citrio.exe'
            - '\Chrome SxS.exe'
            - '\Chrome.exe'
            - '\Coowon.exe'
            - '\CocCocBrowser.exe'
            - '\Uran.exe'
            - '\QQBrowser.exe'
            - '\Orbitum.exe'
            - '\Slimjet.exe'
            - '\Iridium.exe'
            - '\Vivaldi.exe'
            - '\Chromium.exe'
            - '\GhostBrowser.exe'
            - '\CentBrowser.exe'
            - '\Xvast.exe'
            - '\Chedot.exe'
            - '\SuperBird.exe'
            - '\360Browser.exe'
            - '\360Chrome.exe'
            - '\dragon.exe'
            - '\brave.exe'
            - '\torch.exe'
            - '\UCBrowser.exe'
            - '\BliskBrowser.exe'
            - '\Epic Privacy Browser.exe'
            - '\nichrome.exe'
            - '\AmigoBrowser.exe'
            - '\KometaBrowser.exe'
            - '\XpomBrowser.exe'
            - '\msedge.exe'
            - '\LiebaoBrowser.exe'
            - '\AvastBrowser.exe'
            - '\Kinza.exe'
            - '\seamonkey.exe'
            - '\icedragon.exe'
            - '\cyberfox.exe'
            - '\SlimBrowser.exe'
            - '\palemoon.exe'
    filter_main_path:
        Image|contains:
            - '\Sputnik\'
            - '\MapleStudio\'
            - '\QIP Surf\'
            - '\BlackHawk\'
            - '\7Star\'
            - '\Fenrir Inc\'
            - '\CatalinaGroup\'
            - '\Google\'
            - '\Coowon\'
            - '\CocCoc\'
            - '\uCozMedia\'
            - '\Tencent\'
            - '\Orbitum\'
            - '\Slimjet\'
            - '\Iridium\'
            - '\Vivaldi\'
            - '\Chromium\'
            - '\GhostBrowser\'
            - '\CentBrowser\'
            - '\Xvast\'
            - '\Chedot\'
            - '\SuperBird\'
            - '\360Browser\'
            - '\360Chrome\'
            - '\Comodo\'
            - '\BraveSoftware\'
            - '\Torch\'
            - '\UCBrowser\'
            - '\Blisk\'
            - '\Epic Privacy Browser\'
            - '\Nichrome\'
            - '\Amigo\'
            - '\Kometa\'
            - '\Xpom\'
            - '\Microsoft\'
            - '\Liebao7\'
            - '\AVAST Software\'
            - '\Kinza\'
            - '\Mozilla\'
            - '\8pecxstudios\'
            - '\FlashPeak\'
            - '\Moonchild Productions\'
    filter_main_system:
        Image: System
        ParentImage: Idle
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|contains: '\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_msiexec:
        ParentImage: 'C:\Windows\System32\msiexec.exe'
    filter_optional_other:
        Image|endswith: '\everything.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Legitimate software accessing browser data for synchronization or backup purposes.
    - Legitimate software installed on partitions other than "C:\"
level: low
Showing 1-19 of 19
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin