Skip to content

DET0037 Detect Suspicious Access to Browser Credential Stores

Item Value
ID DET0037
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1555.003 (Credentials from Web Browsers)

Analytics

Windows

AN0105

Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to CryptUnprotectData or memory inspection attempts.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
MonitoredPaths Browser-specific credential storage paths such as Chrome Login Data, IE Credential Locker
TimeWindow Correlation window between file read and process memory/API access

Linux

AN0106

Detects attempts to access browser credential stores (e.g., Firefox logins.json, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:FILE /home//.mozilla/firefox//logins.json OR /home//.config/google-chrome//Login Data
Process Access (DC0035) auditd:SYSCALL ptrace attach
Mutable Elements
Field Description
BrowserCredentialFiles Paths of web browser credential databases to monitor
AllowedDebuggers List of expected debugging tools for dev/test environments

macOS

AN0107

Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing security dump-keychain or directly reading credential files in ~/Library/Application Support. Correlates file access with suspicious process ancestry or unsigned binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of security, sqlite3, or unauthorized binaries
File Access (DC0055) macos:unifiedlog ~/Library/Application Support/Google/Chrome//Login Data OR ~/Library/Application Support/Firefox//logins.json
Mutable Elements
Field Description
PrivilegedUsers Expected user context authorized to unlock Keychain or browser databases
TimeWindow Correlation window for process execution and credential file access