Command-line parameters related to web browser credential dumpers
This search detects a suspicious process that contains command-line parameters related to a web browser credential dumper. This technique is used by Remcos RAT malware, where it uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos use the "/stext" command line to dump the credential in text format. This search is a good indicator of hosts suffering from possible Remcos RAT infection.
Data required
Procedure
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process"="*/stext*" OR "Processes.process"="*/shtml *" OR "Processes.process"="*/LoadPasswordsIE*" OR "Processes.process"="*/LoadPasswordsFirefox*" OR "Processes.process"="*/LoadPasswordsChrome*" OR "Processes.process"="*/LoadPasswordsOpera*" OR "Processes.process"="*/LoadPasswordsSafari*" OR "Processes.process"="*/UseOperaPasswordFile*" OR "Processes.process"="*/OperaPasswordFile*" OR "Processes.process"="*/stab*" OR "Processes.process"="*/scomma*" OR "Processes.process"="*/stabular*" OR "Processes.process"="*/shtml*" OR "Processes.process"="*/sverhtml*" OR "Processes.process"="*/sxml*" OR "Processes.process"="*/skeepass*") ("Processes.process"="*\\temp\\*" OR "Processes.process"="*\\users\\public\\*" OR "Processes.process"="*\\programdata\\*")) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"
| rename "Processes.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| | tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process"="*/stext*" OR "Processes.process"="*/shtml *" OR "Processes.process"="*/LoadPasswordsIE*" OR "Processes.process"="*/LoadPasswordsFirefox*" OR "Processes.process"="*/LoadPasswordsChrome*" OR "Processes.process"="*/LoadPasswordsOpera*" OR "Processes.process"="*/LoadPasswordsSafari*" OR "Processes.process"="*/UseOperaPasswordFile*" OR "Processes.process"="*/OperaPasswordFile*" OR "Processes.process"="*/stab*" OR "Processes.process"="*/scomma*" OR "Processes.process"="*/stabular*" OR "Processes.process"="*/shtml*" OR "Processes.process"="*/sverhtml*" OR "Processes.process"="*/sxml*" OR "Processes.process"="*/skeepass*") ("Processes.process"="*\\temp\\*" OR "Processes.process"="*\\users\\public\\*" OR "Processes.process"="*\\programdata\\*")) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name" |
Query the Endpoint.Processes data model object to search for the /stext process and other associated processes dumping credentials. Sort first by destination, then by the rest of the fields shown. |
| | rename "Processes.*" AS "*" | Rename data model fields for better readability. |
| | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
Since this search is based on the parameter command and the possible path where it will save the text credential information, it may present false positives through catching normal tools that are using the same command and behavior.
During triage, isolate the endpoint and review for the source of the exploitation.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
You might also be interested in other processes associated with the Detecting indicators of Remcos RAT malware use case.