This note documents detection patterns related to Browser Credential Dumping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects browser dump tooling, SQLite access tools, and credential extraction commands. |
| Sysmon | 1 | Process creation | Critical | Best execution source for browser dump tooling and lineage. |
| Sysmon | 11 | File create | Critical | Captures copied login databases, exported credentials, temp dumps. |
| Sysmon | 10 | Process access | High | Useful if browser process memory accessed directly. |
| Security | 4663 | Object access | High | Browser database access if auditing enabled. |
| Sysmon | 7 | Image loaded | Medium | SQLite libraries or crypto DLLs loaded unexpectedly. |
| PowerShell | 4104 | Script block logging | Critical | Scripted browser credential extraction. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Access to Login Data DB | Chrome / Edge SQLite credential store | Critical | Core browser theft signal. |
| Cookies DB copied | Session theft preparation | High | Often paired with credential dump. |
| Browser profile copied to Temp | Staging for offline parsing | Critical | Common attacker workflow. |
| DPAPI + browser path chain | Masterkey + DB access | Critical | Strong full credential theft chain. |
| Browser closed before dump | Locked DB bypass tactic | Medium | Operational clue. |
| Export file created | TXT / CSV / JSON secrets | Critical | Immediate theft evidence. |
Common Tools
| Tool | Usage |
|---|---|
| SharpChrome | Chrome credential extraction |
| mimikatz | Browser secrets via DPAPI |
| LaZagne | Browser password dumping |
| sqlite3.exe | Manual DB extraction |
| PowerShell | Browser DB copy / DPAPI decrypt |
| custom scripts | Credential parsing |
Relevant Artifacts
- Sysmon Event IDs 1, 10, 11
- Security Event IDs 4688, 4663
- PowerShell 4104
- Browser paths:
%LOCALAPPDATA%\Google\Chrome\User Data\%LOCALAPPDATA%\Microsoft\Edge\User Data\%APPDATA%\Mozilla\Firefox\Profiles\
- Files:
Login DataCookiesWeb Data
- Prefetch:
SQLITE3.EXE,MIMIKATZ.EXE,SHARPCHROME.EXE - Amcache / ShimCache
- MFT / USN for copied DBs
MITRE ATT&CK References
- T1555 Credentials from Password Stores
- T1555.003 Credentials from Web Browsers
- T1003 OS Credential Dumping
Decision Tree
-
Which browser artifact accessed?
- Login Data
- Cookies
- Firefox profile
-
Which process performed access?
- Signed?
- Known tool?
-
DPAPI involved?
- Masterkey access
- LSASS access
-
Output created?
- Temp file
- Archive
- Exfil candidate
-
Expand:
- Session theft
- Browser history access
- Additional user profiles
-
Scope:
- Single profile
- Multi-user collection
- Enterprise spread
Example Detection Templates
KQL
Sysmon
| where EventID == 1
| where CommandLine has_any ("SharpChrome","LaZagne","sqlite","Login Data")
| project TimeGenerated, Computer, User, CommandLine
Sysmon
| where EventID == 11
| where TargetFilename has_any ("Login Data","Cookies","Web Data")
| project TimeGenerated, Computer, TargetFilename
EQL
process where process.command_line like "*SharpChrome*" or process.command_line like "*Login Data*"
sequence by host.name with maxspan=5m
[ process where process.name != null ]
[ file where file.path like "*Login Data*" ]
Sigma
title: Browser Credential Dumping Detection
id: 5e1b8a62-browser-dump
status: experimental
description: Detects browser credential database access linked to credential theft
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
CommandLine|contains:
- 'SharpChrome'
- 'LaZagne'
- 'Login Data'
- 'Cookies'
condition: selection
fields:
- CommandLine
- ParentImage
falsepositives:
- Browser migration tools
level: high
tags:
- attack.credential_access
- attack.t1555.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| DPAPI hardening | Protect masterkeys | Critical | Core browser secret dependency |
| Browser password policy | Restrict local secret storage | High | Reduce value |
| Sysmon file monitoring | Watch browser DB access | High | Strong artifact coverage |
| EDR lineage | Track DB copy operations | Critical | Best triage source |
| Session security | Re-auth policies | High | Limits stolen cookie impact |