Sensitive browser credential files accessed by a rare non browser process

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-05-18

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
Severity	Informational

Description

Sensitive browser credential files accessed by a rare non browser process.

Attacker's Goals

Achieve Credential Access by harvesting credentials from local browser storage.
This facilitates Lateral Movement and Persistence across the environment
to gain unauthorized control over sensitive resources and information.

Investigative actions

Determine the legitimacy of the actor process that accessed the sensitive browser credential files.
Analyze the process signature, file path, and command line arguments to verify the process's authenticity.
Identify the process or user responsible for initiating the activity and assess its legitimacy.

Variations

Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory

Synopsis

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
Severity	Low

Description

Sensitive browser credential files accessed by a rare non browser process.

Attacker's Goals

Investigative actions

Determine the legitimacy of the actor process that accessed the sensitive browser credential files.
Analyze the process signature, file path, and command line arguments to verify the process's authenticity.
Identify the process or user responsible for initiating the activity and assess its legitimacy.