Unusual process accessed web browser credentials

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2025-12-08
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Credentials Grabbing Analytics

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores: Credentials from Web Browsers (T1555.003)

Severity

Informational

Response playbooks

Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

An unusual process has accessed a web browser credentials file.

Attacker's Goals

Obtain access to credentials (such as cached logins) stored in the web browser.

Investigative actions

  • Determine whether it is legitimate for the process to access web browser credential data directly.
  • Analyze the process/application that accessed the credentials.
  • Check for any other suspicious actions that were performed by the process.
  • Look for unusual access to resources using credentials cached in the web browser.

Variations

Unusual process accessed web browser credentials and executed by a terminal process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores: Credentials from Web Browsers (T1555.003)

Severity

High

Response playbooks

Unusual process accessed web browser credentials and executed by a terminal process

Description

An unusual process has accessed a web browser credentials file.

Attacker's Goals

Obtain access to credentials (such as cached logins) stored in the web browser.

Investigative actions

  • Determine whether it is legitimate for the process to access web browser credential data directly.
  • Analyze the process/application that accessed the credentials.
  • Check for any other suspicious actions that were performed by the process.
  • Look for unusual access to resources using credentials cached in the web browser.


Unusual unsigned process accessed web browser credentials

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores: Credentials from Web Browsers (T1555.003)

Severity

Low

Description

An unusual process has accessed a web browser credentials file.

Attacker's Goals

Obtain access to credentials (such as cached logins) stored in the web browser.

Investigative actions

  • Determine whether it is legitimate for the process to access web browser credential data directly.
  • Analyze the process/application that accessed the credentials.
  • Check for any other suspicious actions that were performed by the process.
  • Look for unusual access to resources using credentials cached in the web browser.