Detect usage of the “sqlite” binary to query databases in Chromium-based browsers for potential data stealing.
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.t1555.003
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_chromium:
CommandLine|contains:
- '\User Data\' # Most common folder for user profile data among Chromium browsers
- '\Opera Software\' # Opera
- '\ChromiumViewer\' # Sleipnir (Fenrir)
selection_data:
CommandLine|contains:
- 'Login Data' # Passwords
- 'Cookies'
- 'Web Data' # Credit cards, autofill data
- 'History'
- 'Bookmarks'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessFileProduct =~ "SQLite" or (TargetProcessName endswith "\\sqlite.exe" or TargetProcessName endswith "\\sqlite3.exe")) and (TargetProcessCommandLine contains "\\User Data\\" or TargetProcessCommandLine contains "\\Opera Software\\" or TargetProcessCommandLine contains "\\ChromiumViewer\\") and (TargetProcessCommandLine contains "Login Data" or TargetProcessCommandLine contains "Cookies" or TargetProcessCommandLine contains "Web Data" or TargetProcessCommandLine contains "History" or TargetProcessCommandLine contains "Bookmarks")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |