T1555.003 Sumo Logic CSE · Sumo

Detect Credentials from Web Browsers in Sumo Logic CSE

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords in encrypted format within credential stores. On Windows, encrypted credentials may be obtained from Chrome by reading the Login Data SQLite database and decrypting via CryptUnprotectData. Firefox stores credentials in key3.db/key4.db and logins.json. Edge and Internet Explorer credentials are managed by Windows Credential Manager. Adversaries may also search browser process memory for credential patterns using tools like mimikittenz.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.003 Credentials from Web Browsers
Canonical reference
https://attack.mitre.org/techniques/T1555/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon EventCode=1
| parse regex "(?s)Image:\s+(?P<Image>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine:\s+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage:\s+(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)User:\s+(?P<User>[^\r\n]+)" nodrop
| parse regex "(?s)Computer:\s+(?P<host>[^\r\n]+)" nodrop
| where (
    matches(Image, "(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*")
    or (
      matches(CommandLine, "(?i).*(login data|logins\.json|key[34]\.db|signons\.sqlite|local state).*")
      and !matches(Image, "(?i).*(chrome\.exe|firefox\.exe|msedge\.exe|brave\.exe|opera\.exe|searchprotocolhost\.exe|searchindexer\.exe)$")
    )
    or matches(CommandLine, "(?i).*cryptunprotectdata.*")
    or matches(CommandLine, "(?i).*(select.*from logins|select.*password_value).*")
  )
| eval CredTheftTool = if(matches(Image, "(?i).*(browserpassview|webbrowserpassview|chromepass|mimikittenz|browserghost|sharpchromium|hackbrowserdata|lazagne).*"), 1, 0)
| eval BrowserFileAccess = if(matches(CommandLine, "(?i).*(login data|logins\.json|key[34]\.db|key3\.db|signons\.sqlite).*"), 1, 0)
| eval DPAPICall = if(matches(CommandLine, "(?i).*cryptunprotectdata.*"), 1, 0)
| eval SQLQuery = if(matches(CommandLine, "(?i).*(select.*from logins|select.*password_value).*"), 1, 0)
| eval SuspicionScore = CredTheftTool*3 + BrowserFileAccess + DPAPICall*2 + SQLQuery*2
| where SuspicionScore > 0
| fields _messageTime, host, User, Image, CommandLine, ParentImage, CredTheftTool, BrowserFileAccess, DPAPICall, SQLQuery, SuspicionScore
| sort by SuspicionScore desc
high severity high confidence

Sumo Logic detection for T1555.003 parsing Sysmon Process Create events (EventCode 1) using regex field extraction. Identifies known browser credential theft tools and suspicious command-line access to browser password stores by non-browser processes. Applies the same four-dimension suspicion scoring model as the reference SPL query to rank detections.

Data Sources

Sumo Logic Windows Agent (Sysmon)Sumo Logic Cloud SIEM Enterprise

Required Tables

windows/sysmon

False Positives & Tuning

  • EDR or DLP agents that enumerate browser extensions and profile directories as part of endpoint compliance scanning
  • Developer or QA automation (Selenium, Playwright) that launches browser processes referencing profile paths via command-line arguments
  • Firefox sync or enterprise identity federation tools that legitimately interact with key4.db or logins.json during profile synchronization
Download portable Sigma rule (.yml)

Other platforms for T1555.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Chrome Login Data for offline extraction

    Expected signal: Sysmon Event ID 11: FileCreate for the copied Login Data file. Sysmon Event ID 1: Process Create for cmd.exe with copy command. DeviceFileEvents in MDE showing file copy from Chrome directory.

  2. Test 2Query Chrome credentials with sqlite3

    Expected signal: Sysmon Event ID 1: Process Create with Image=sqlite3.exe, CommandLine containing 'Login Data' and 'SELECT...FROM logins'. DeviceFileEvents showing sqlite3 reading Login Data file.

  3. Test 3Extract Firefox credentials with LaZagne

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'lazagne'. Sysmon Event ID 11: potential output file creation. Multiple file access events as LaZagne reads credential stores from all installed browsers.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1555.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.004Windows Credential ManagerT1555.005Password ManagersT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1555.004Windows Credential ManagerT1539Steal Web Session CookieT1005Data from Local SystemT1074.001Local Data StagingT1041Exfiltration Over C2 Channel

Same Tactic: Credential Access

Popular Detections