Name:Windows Credentials from Web Browsers Saved in TEMP Folder id:b36b23ea-763c-417b-bd4a-6a378dabad1a version:1 date:2024-09-24 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems. Data_source:
search:|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_web_browsers_saved_in_temp_folder_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. known_false_positives:unknown References: -https://x.com/suyog41/status/1825869470323056748 -https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: name:'View the detection results for "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Braodo Stealer' asset_type:Endpoint confidence:80 impact:80 message:A known credential file name - [$file_name$] was saved in %temp% folder of [$dest$]. mitre_attack_id: - 'T1555.003' - 'T1555' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Filesystem.dest' - 'Filesystem.file_create_time' - 'Filesystem.file_name' - 'Filesystem.user' - 'Filesystem.file_path' risk_score:64 security_domain:endpoint
