T1555.003 Credentials from Web Browsers Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let BrowserCredFiles = dynamic(["Login Data", "logins.json", "key3.db", "key4.db", "signons.sqlite", "Web Data", "Cookies", "Local State"]);
let BrowserCredPaths = dynamic(["Google\\Chrome\\User Data", "Mozilla\\Firefox\\Profiles", "Microsoft\\Edge\\User Data", "BraveSoftware\\Brave-Browser", "Opera Software"]);
let CredTheftTools = dynamic(["browserpassview", "webbrowserpassview", "chromepass", "mimikittenz", "browserghost", "sharpchromium", "hackbrowserdata", "lazagne"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where (FileName has_any (BrowserCredFiles) and FolderPath has_any (BrowserCredPaths))
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe", "SearchProtocolHost.exe", "SearchIndexer.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Access Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Browser update processes that may access credential files during migration between versions
Antivirus/EDR agents scanning browser credential directories during scheduled scans
Backup software (Acronis, Veeam, Windows Backup) that reads browser profile directories
Browser extension installers and sync services that access profile data

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*browserpassview*" OR Image="*webbrowserpassview*" OR Image="*chromepass*" OR Image="*mimikittenz*" OR Image="*browserghost*" OR Image="*sharpchromium*" OR Image="*hackbrowserdata*" OR Image="*lazagne*")
  OR (CommandLine="*Login Data*" AND NOT (Image="*chrome.exe" OR Image="*msedge.exe" OR Image="*firefox.exe" OR Image="*brave.exe"))
  OR (CommandLine="*logins.json*" AND NOT Image="*firefox.exe")
  OR (CommandLine="*key4.db*" AND NOT Image="*firefox.exe")
  OR CommandLine="*CryptUnprotectData*"
  OR CommandLine="*SELECT*FROM logins*"
  OR CommandLine="*SELECT*password_value*"
| eval CredTheftTool=if(match(Image, "(?i)(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne)"), 1, 0)
| eval BrowserFileAccess=if(match(CommandLine, "(?i)(login data|logins\.json|key4\.db|key3\.db)"), 1, 0)
| eval DPAPICall=if(match(CommandLine, "(?i)cryptunprotectdata"), 1, 0)
| eval SQLQuery=if(match(CommandLine, "(?i)(select.*from logins|select.*password_value)"), 1, 0)
| eval SuspicionScore=CredTheftTool*3 + BrowserFileAccess + DPAPICall*2 + SQLQuery*2
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, CredTheftTool, BrowserFileAccess, DPAPICall, SQLQuery, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Browser update processes that may reference credential files in command line arguments
Antivirus/EDR scanning browser profile directories
Legitimate backup software that copies browser profile data
Developer tools or database browsers used to inspect SQLite files

Elastic Security (EQL)

eql

any where (
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    file.name in ("Login Data", "logins.json", "key3.db", "key4.db", "signons.sqlite", "Web Data", "Cookies", "Local State") and
    (
      file.path like~ "*Google\\Chrome\\User Data*" or
      file.path like~ "*Mozilla\\Firefox\\Profiles*" or
      file.path like~ "*Microsoft\\Edge\\User Data*" or
      file.path like~ "*BraveSoftware\\Brave-Browser*" or
      file.path like~ "*Opera Software*"
    ) and
    not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe", "SearchProtocolHost.exe", "SearchIndexer.exe")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.name like~ "*browserpassview*" or
      process.name like~ "*webbrowserpassview*" or
      process.name like~ "*chromepass*" or
      process.name like~ "*mimikittenz*" or
      process.name like~ "*browserghost*" or
      process.name like~ "*sharpchromium*" or
      process.name like~ "*hackbrowserdata*" or
      process.name like~ "*lazagne*" or
      (
        process.command_line like~ "*Login Data*" and
        not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe")
      ) or
      (
        process.command_line like~ "*logins.json*" and
        not process.name in~ ("firefox.exe")
      ) or
      (
        process.command_line like~ "*key4.db*" and
        not process.name in~ ("firefox.exe")
      ) or
      process.command_line like~ "*CryptUnprotectData*" or
      process.command_line like~ "*SELECT*FROM logins*" or
      process.command_line like~ "*SELECT*password_value*"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Sysmon via Elastic Agent Windows Security Events via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Enterprise password managers (KeePass, 1Password, Bitwarden) that integrate with browser credential stores may access these files legitimately
IT management and endpoint compliance tools (SCCM, Tanium, Qualys) that audit browser installations and profile directories
Backup software (Veeam, Acronis, Windows Backup) reading entire user profile directories including browser data folders

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(deviceid) AS LogSource,
  username AS User,
  sourceip AS SourceIP,
  QIDNAME(qid) AS EventName,
  "ProcessImage" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  CASE
    WHEN LOWER("ProcessImage") MATCHES '(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*' THEN 3
    ELSE 0
  END +
  CASE
    WHEN LOWER("CommandLine") MATCHES '(?i).*(login data|logins\.json|key[34]\.db|signons\.sqlite|local state).*'
    AND NOT LOWER("ProcessImage") MATCHES '(?i).*(chrome|msedge|firefox|brave|opera)\.exe.*' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("CommandLine") MATCHES '(?i).*cryptunprotectdata.*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN LOWER("CommandLine") MATCHES '(?i).*(select.*from logins|select.*password_value).*' THEN 2
    ELSE 0
  END AS SuspicionScore
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("ProcessImage") MATCHES '(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*'
    OR (
      LOWER("CommandLine") MATCHES '(?i).*(login data|logins\.json|key[34]\.db|signons\.sqlite).*'
      AND NOT LOWER("ProcessImage") MATCHES '(?i).*(chrome|msedge|firefox|brave|opera)\.exe.*'
    )
    OR LOWER("CommandLine") MATCHES '(?i).*cryptunprotectdata.*'
    OR LOWER("CommandLine") MATCHES '(?i).*(select.*from logins|select.*password_value).*'
  )
  AND starttime >= NOW() - 86400000
ORDER BY SuspicionScore DESC, starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log (DSM) Sysmon (DSM)

Required Tables

events

False Positives

Authorized penetration testing or red team operations using credential harvesting tools under a scoped engagement
Browser migration utilities (e.g., migrating profiles from Chrome to Edge) that copy Login Data or logins.json as part of legitimate profile import
Enterprise software deployment agents that reference browser profile paths during user onboarding or policy enforcement workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| parse regex "(?s)Image:\s+(?P<Image>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine:\s+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage:\s+(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)User:\s+(?P<User>[^\r\n]+)" nodrop
| parse regex "(?s)Computer:\s+(?P<host>[^\r\n]+)" nodrop
| where (
    matches(Image, "(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*")
    or (
      matches(CommandLine, "(?i).*(login data|logins\.json|key[34]\.db|signons\.sqlite|local state).*")
      and !matches(Image, "(?i).*(chrome\.exe|firefox\.exe|msedge\.exe|brave\.exe|opera\.exe|searchprotocolhost\.exe|searchindexer\.exe)$")
    )
    or matches(CommandLine, "(?i).*cryptunprotectdata.*")
    or matches(CommandLine, "(?i).*(select.*from logins|select.*password_value).*")
  )
| eval CredTheftTool = if(matches(Image, "(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*"), 1, 0)
| eval BrowserFileAccess = if(matches(CommandLine, "(?i).*(login data|logins\.json|key[34]\.db|key3\.db|signons\.sqlite).*"), 1, 0)
| eval DPAPICall = if(matches(CommandLine, "(?i).*cryptunprotectdata.*"), 1, 0)
| eval SQLQuery = if(matches(CommandLine, "(?i).*(select.*from logins|select.*password_value).*"), 1, 0)
| eval SuspicionScore = CredTheftTool*3 + BrowserFileAccess + DPAPICall*2 + SQLQuery*2
| where SuspicionScore > 0
| fields _messageTime, host, User, Image, CommandLine, ParentImage, CredTheftTool, BrowserFileAccess, DPAPICall, SQLQuery, SuspicionScore
| sort by SuspicionScore desc

high severity high confidence

Data Sources

Sumo Logic Windows Agent (Sysmon) Sumo Logic Cloud SIEM Enterprise

Required Tables

windows/sysmon

False Positives

EDR or DLP agents that enumerate browser extensions and profile directories as part of endpoint compliance scanning
Developer or QA automation (Selenium, Playwright) that launches browser processes referencing profile paths via command-line arguments
Firefox sync or enterprise identity federation tools that legitimately interact with key4.db or logins.json during profile synchronization

Google Chronicle / SecOps

yaral

rule t1555_003_browser_credential_theft {
  meta:
    author = "Detection Engineering"
    description = "Detects T1555.003 - credential theft from web browsers via known harvesting tools, unauthorized access to browser credential stores, DPAPI decryption calls, and SQL queries against browser password databases"
    mitre_attack_technique = "T1555.003"
    mitre_attack_tactic = "Credential Access"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1555/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne)`)
      or re.regex($e.target.process.file.full_path, `(?i)(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne)`)
      or (
        re.regex($e.target.process.command_line, `(?i)(login[_ ]data|logins\.json|key[34]\.db|signons\.sqlite|local[_ ]state)`)
        and not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|brave\.exe|opera\.exe|searchprotocolhost\.exe|searchindexer\.exe)`)
      )
      or re.regex($e.target.process.command_line, `(?i)cryptunprotectdata`)
      or re.regex($e.target.process.command_line, `(?i)select.+(from logins|password_value)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint via Chronicle Forwarder CrowdStrike / SentinelOne / Carbon Black via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Automated browser testing frameworks (e.g., Puppeteer, Playwright headless) that launch Chrome or Chromium with custom profile paths referencing credential store files
DFIR or forensic tools (Autopsy, Magnet AXIOM, Nirsoft utilities) running legitimately on endpoints during authorized investigations
Enterprise SSO or identity management agents that interface with browser credential APIs for federated authentication bootstrapping

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CredTheftTool := if(regex("(?i)(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne)", field=ImageFileName, strict=false), "true", "false")
| BrowserFileAccess := if(regex("(?i)(login data|logins\\.json|key[34]\\.db|signons\\.sqlite|local state)", field=CommandLine, strict=false), "true", "false")
| DPAPICall := if(regex("(?i)cryptunprotectdata", field=CommandLine, strict=false), "true", "false")
| SQLQuery := if(regex("(?i)(select.+from logins|select.+password_value)", field=CommandLine, strict=false), "true", "false")
| LegitBrowser := if(regex("(?i)(\\\\chrome\\.exe|\\\\firefox\\.exe|\\\\msedge\\.exe|\\\\brave\\.exe|\\\\opera\\.exe|\\\\searchprotocolhost\\.exe|\\\\searchindexer\\.exe)$", field=ImageFileName, strict=false), "true", "false")
| SuspicionScore := (case { CredTheftTool = "true" | 3 ; * | 0 }) + (case { BrowserFileAccess = "true" AND LegitBrowser = "false" | 1 ; * | 0 }) + (case { DPAPICall = "true" | 2 ; * | 0 }) + (case { SQLQuery = "true" | 2 ; * | 0 })
| SuspicionScore > 0
| sort(SuspicionScore, order=desc)
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, CredTheftTool, BrowserFileAccess, DPAPICall, SQLQuery, SuspicionScore])

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2

False Positives

Security tooling or vulnerability scanners deployed by the SOC that spawn processes referencing browser credential file paths as part of authorized endpoint auditing
Browser management or fleet tooling (e.g., Google Admin, Microsoft Intune browser extensions) that references profile directories during policy enforcement
Custom enterprise scripts for browser configuration management that interact with Chrome or Firefox profile paths on managed endpoints

Credentials from Web Browsers

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections