The traditional image of a hacker "breaking in" through a compromised firewall or exploiting a zero-day vulnerability is rapidly becoming outdated. According to recent reports, attackers are increasingly shifting tactics to simply "logging in" using valid credentials.
For IT and security teams, this represents a critical paradigm shift. It means that perimeter defenses alone are no longer sufficient. The threat is now inside the identity layer. This post analyzes the rise of industrialized infostealers and AI-enabled social engineering, and provides actionable strategies to secure your organization’s identity infrastructure.
Technical Analysis
The surge in "logging in" attacks is driven by two primary technical enablers: the industrialization of infostealers and the weaponization of Artificial Intelligence.
The Mechanics of Infostealers
Infostealers are a class of malware designed to harvest sensitive data from infected endpoints. Unlike traditional ransomware, which aims to encrypt data for extortion, infostealers operate silently to extract:
- Session Cookies: Allowing attackers to bypass Multi-Factor Authentication (MFA) by hijacking active sessions.
- Authentication Tokens: Stored tokens for SaaS applications (e.g., Microsoft 365, Salesforce).
- Credentials: Saved passwords in browsers and credential managers.
The "industrialization" refers to the Malware-as-a-Service (MaaS) economy. Actors can purchase logs containing thousands of stolen corporate credentials for a fraction of the cost of developing an exploit. The primary infection vectors include malicious browser extensions, cracked software, and phishing documents.
AI-Enabled Social Engineering
Attackers are leveraging Large Language Models (LLMs) to craft highly convincing social engineering attacks.
- Contextual Awareness: AI analyzes leaked data or public OSINT to create personalized spear-phishing emails that reference specific projects, colleagues, or organizational structures.
- Deepfakes: Audio and video deepfakes are being used to request password resets or authorize fraudulent transactions, bypassing traditional verification checks.
Affected Systems:
- Identity Providers (IdP): Microsoft Entra ID (formerly Azure AD), Okta, Ping Identity.
- Endpoints: Windows, macOS, and Linux workstations where browsers store credentials.
- SaaS Applications: Any application relying on username/password or session-based authentication.
Severity: High. These attacks bypass standard perimeter defenses (firewalls/EDR) because the traffic originates from a valid user account with a trusted device or stolen session token.
Executive Takeaways
Since this news represents a strategic shift in threat landscape rather than a specific software vulnerability, security leaders must prioritize the following:
- Identity is the New Perimeter: Security investments must shift from network-centric controls to identity-centric controls. Assume that credentials will be compromised and design controls that limit the blast radius.
- Phishing-Resistant MFA is Mandatory: Standard SMS or app-based push notification MFA is no longer enough. Attackers are using MFA fatigue (flooding users with prompts) and session hijacking to bypass these controls. Moving to FIDO2/WebAuthn (passkeys) or certificate-based authentication is essential.
- Token Hygiene is Critical: Detecting a stolen password is standard; detecting a stolen session cookie is much harder. Organizations must implement continuous access evaluation (CAE) to revoke risky sessions in real-time.
Detection & Response
Sigma Rules
YAML
---
title: Suspicious Windows Credential Manager Enumeration
id: 4f8a12d3-9b7c-4a1e-8c5f-2d3e4a5b6c7d
status: experimental
description: |
Detects the use of cmdkey.exe to list stored credentials.
Infostealers and post-exploitation tools often enumerate the Windows Credential Manager
to harvest saved RDP, browser, or Git credentials to facilitate lateral movement ("logging in").
references:
- https://attack.mitre.org/techniquesT1555/004/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.credential_access
- attack.t1555.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmdkey.exe'
CommandLine|contains: '/list'
filter:
# Optional: Exclude specific automated admin tools if known noisy
ParentImage|contains:
- '\management.exe'
condition: selection and not filter
falsepositives:
- Administrative scripts auditing saved credentials
- Legitimate troubleshooting by IT staff
level: medium
---
title: Non-Browser Process Accessing Sensitive Browser Files
id: 9e2f4a8b-1c3d-4e5f-8a9b-2c3d4e5f6a7b
status: experimental
description: |
Detects access to browser credential or cookie storage files (SQLite databases)
by processes other than the browser itself. This is a primary TTP of industrialized
infostealer malware designed to steal session cookies and saved passwords.
references:
- https://attack.mitre.org/techniques/T1555.003/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Cookies'
- '\Google\Chrome\User Data\Default\Web Data'
- '\Microsoft\Edge\User Data\Default\Login Data'
- '\Microsoft\Edge\User Data\Default\Cookies'
- '\Mozilla\Firefox\Profiles\key4.db'
- '\Mozilla\Firefox\Profiles\logins.json'
filter_main_browsers:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
filter_main_av:
# Antivirus often scans these files during operation
Image|contains:
- '\ProgramData\Microsoft\Windows Defender\Platform\'
- '\Program Files\Common Files\AVG\'
- '\Program Files\ESET\'
- '\Program Files\Malwarebytes\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Antivirus scans
- Backup software accessing profile data
- Browser synchronization utilities
level: high
KQL — Microsoft Sentinel / Defender
KQL — Microsoft Sentinel / Defender
// Hunt for infostealer behavior: Detects non-browser processes accessing sensitive browser/credential files (Login Data, Cookies, Credentials)
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType in ("FileAccessed", "FileCreated", "FileModified")
| where FileName in~ ("Login Data", "Cookies", "Web Data", "History", "User Data", "key3.db", "key4.db", "logins.json", "cert9.db", "Credentials")
| where FolderPath has @"\AppData\Local\Google\Chrome\User Data\" or
FolderPath has @"\AppData\Local\Microsoft\Edge\User Data\" or
FolderPath has @"\AppData\Roaming\Mozilla\Firefox\Profiles\" or
FolderPath has @"\AppData\Local\Microsoft\Credentials\"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "opera.exe", "brave.exe", "browser_broker.exe", "explorer.exe")
| where InitiatingProcessFolderPath !startswith @"C:\Program Files" and
InitiatingProcessFolderPath !startswith @"C:\Program Files (x86)"
| summarize count(), FilesAccessed = make_set(FileName), arg_max(Timestamp, *) by InitiatingProcessFileName, InitiatingProcessFolderPath, DeviceName, AccountName
| order by count_ desc
Velociraptor VQL
VQL — Velociraptor
name: Custom.Hunt.InfostealerAndCredentialTheft
description: |
Hunts for indicators of industrialized infostealers and credential theft tactics.
Covers suspicious processes in user directories (common for RedLine/Vidar),
network connections from non-standard paths, and privileged identity checks.
sources:
- name: UnsignedProcessInUserDir
description: |
-- Hunt: Identifies suspicious unsigned processes running from user directories.
-- Infostealers often execute from AppData/Temp to hide from admins and avoid
-- requiring system privileges.
query: |
SELECT Pid, Name, Exe, Username, CommandLine, SigState, Token.IsElevated
FROM pslist()
WHERE Exe =~ "C:\\\\Users\\\\"
AND Exe NOT =~ "Program Files"
AND Exe NOT =~ "Windows\\\\"
AND SigState = "Unsigned"
- name: SuspiciousNetworkConnections
description: |
-- Hunt: Correlates network connections with processes.
-- Identifies established connections made by processes running outside
-- system paths, potential C2 beacons from infostealers.
query: |
SELECT Net.Pid, Net.RemoteAddr, Net.RemotePort, Net.State, Proc.Name, Proc.Exe, Proc.Username
FROM foreach(row={
SELECT Pid FROM pslist()
}, query={
SELECT Pid, Exe, Name, Username
FROM pslist()
WHERE Pid = _Pid
}) AS Proc
JOIN netstat(pid=Proc.Pid) AS Net
WHERE Net.State = "ESTABLISHED"
AND Proc.Exe NOT =~ "C:\\\\Windows\\\\"
AND Proc.Exe NOT =~ "C:\\\\Program Files"
- name: InfostealerArtifacts
description: |
-- Hunt: Scans file system for known infostealer artifacts or dump files.
-- Checks for common naming conventions of stolen data logs and
-- suspicious binaries in Startup folders.
query: |
SELECT FullPath, Size, Mode, Mtime, Atime
FROM glob(globs="
C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe,
C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*.exe,
C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*.txt
")
WHERE NOT Name =~ "setup"
AND NOT Name =~ "install"
AND Size < 5000000
AND stat(filename=FullPath).IsLink = false
- name: LocalAdminUsers
description: |
-- Hunt: Identifies users with high privileges (Local Admins).
-- Threat actors target these accounts for credential theft to pivot.
query: |
SELECT Name, Domain, Description, SID
FROM lookupSID(sid="S-1-5-32-544")
LET AdminGroup = SELECT Name, Description FROM lookupSID(sid="S-1-5-32-544")
SELECT U.Name, U.Domain, U.SID
FROM artifact Windows.Sys.Users() AS U
WHERE U.GROUPS.Name =~ AdminGroup.Name[0]
Remediation Script
PowerShell
<#
.SYNOPSIS
Script to Hunt for Infostealer IOCs and Harden Windows against Credential Theft.
.DESCRIPTION
This script checks for common Indicators of Compromise (IOCs) associated with
information stealers (e.g., RedLine, Vidar) and verifies hardening controls
like Credential Guard and LSA Protection.
#>
# Ensure script is running as Administrator
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "You must run this script as an Administrator."
exit
}
Write-Host "---------------------------------------------------------------" -ForegroundColor Cyan
Write-Host " THREAT HUNT: Infostealers & Credential Theft" -ForegroundColor Cyan
Write-Host "---------------------------------------------------------------" -ForegroundColor Cyan
# 1. HARDENING: Check Windows Defender Credential Guard status
# Credential Guard virtualizes secrets to prevent credential dumping from LSASS.
Write-Host "`n[+] Checking Credential Guard Status..." -ForegroundColor Yellow
try {
$CimGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction Stop
$Config = $CimGuard.SecurityServicesConfigured
$Running = $CimGuard.SecurityServicesRunning
if ($Config -band 1) { Write-Host " Credential Guard is Configured: Yes" -ForegroundColor Green }
else { Write-Host " Credential Guard is Configured: No (Action Required)" -ForegroundColor Red }
if ($Running -band 1) { Write-Host " Credential Guard is Running: Yes" -ForegroundColor Green }
else { Write-Host " Credential Guard is Running: No (Reboot may be required)" -ForegroundColor Red }
}
catch {
Write-Host " Unable to query DeviceGuard status. Ensure OS supports it (Win 10/11 Enterprise)." -ForegroundColor Gray
}
# 2. HARDENING: Check LSA Protection (RunAsPPL)
# Prevents unsigned code from loading into LSASS.
Write-Host "`n[+] Checking LSA Protection (RunAsPPL)..." -ForegroundColor Yellow
$LsaPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$LsaValue = (Get-ItemProperty -Path $LsaPath -ErrorAction SilentlyContinue).RunAsPPL
if ($LsaValue -eq 1) { Write-Host " LSA Protection: Enabled" -ForegroundColor Green }
else { Write-Host " LSA Protection: Disabled (Action Required: Set to 1)" -ForegroundColor Red }
# 3. IOC HUNT: Check Windows Defender Exclusions
# Infostealers often add themselves to Defender exclusion lists to avoid detection.
Write-Host "`n[+] Hunting for Suspicious Defender Exclusions..." -ForegroundColor Yellow
try {
$Exclusions = Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
$SuspiciousPaths = @("AppData\Local\Temp", "AppData\Roaming", "Downloads", "Desktop")
if ($Exclusions) {
$FoundExclusions = $Exclusions | Where-Object { $SuspiciousPaths | Where-Object { $_ -like "*$($_)*" } }
if ($FoundExclusions) {
Write-Host " WARNING: Suspicious exclusions found in user directories:" -ForegroundColor Red
$FoundExclusions | ForEach-Object { Write-Host " - $_" -ForegroundColor Red }
}
else {
Write-Host " No suspicious path exclusions detected." -ForegroundColor Green
}
}
else {
Write-Host " No exclusions configured." -ForegroundColor Green
}
}
catch {
Write-Host " Failed to query Defender preferences." -ForegroundColor Red
}
# 4. IOC HUNT: Check Registry Run Keys for Persistence
# Malware often uses Run keys to maintain persistence using obscure paths.
Write-Host "`n[+] Scanning Registry Run Keys for Persistence..." -ForegroundColor Yellow
$RunPaths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
$SuspiciousRunKeys = @()
foreach ($Path in $RunPaths) {
if (Test-Path $Path) {
Get-Item -Path $Path | ForEach-Object {
$Properties = Get-ItemProperty -Path $_.PSPath
foreach ($Prop in $Properties.PSObject.Properties) {
if ($Prop.Name -notmatch "PS*|Default") {
$Value = $Prop.Value
# Heuristic: Check for executables in User Profile Temp or obscure AppData folders
if ($Value -match "AppData\\Local\\Temp" -or
$Value -match "AppData\\Roaming\\[a-zA-Z0-9]{8,}" -or
$Value -match "public\\") {
$SuspiciousRunKeys += [PSCustomObject]@{
Hive = $Path
Key = $Prop.Name
Value = $Value
}
}
}
}
}
}
}
if ($SuspiciousRunKeys.Count -gt 0) {
Write-Host " WARNING: Suspicious persistence keys found:" -ForegroundColor Red
$SuspiciousRunKeys | Format-Table -AutoSize
}
else {
Write-Host " No obvious malicious persistence found in Run keys." -ForegroundColor Green
}
# 5. IOC HUNT: Check for recently modified suspicious files in AppData
# Infostealers often drop payloads in AppData\Roaming or Local with random names.
Write-Host "`n[+] Scanning User AppData for recent executables..." -ForegroundColor Yellow
$Users = Get-ChildItem -Path "C:\Users" -Directory -Exclude "Public", "Default"
$SuspiciousFiles = @()
foreach ($User in $Users) {
$TargetPaths = @("$($User.FullName)\AppData\Roaming", "$($User.FullName)\AppData\Local")
foreach ($TPath in $TargetPaths) {
if (Test-Path $TPath) {
# Find .exe, .dll, .bat files created in the last 7 days
$Files = Get-ChildItem -Path $TPath -Recurse -Include *.exe, *.dll, *.bat -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
foreach ($File in $Files) {
# Heuristic: Randomly named folders/files often indicate malware
if ($File.Directory.Name -match "^[a-zA-Z0-9]{8,}$") {
$SuspiciousFiles += $File.FullName
}
}
}
}
}
if ($SuspiciousFiles) {
Write-Host " WARNING: Recently created executables found in random directories:" -ForegroundColor Red
$SuspiciousFiles | ForEach-Object { Write-Host " - $_" -ForegroundColor Red }
}
else {
Write-Host " No recent suspicious files found in AppData." -ForegroundColor Green
}
Write-Host "`n---------------------------------------------------------------" -ForegroundColor Cyan
Write-Host " Scan Complete." -ForegroundColor Cyan
Write-Host "---------------------------------------------------------------" -ForegroundColor Cyan
Remediation
To protect your organization against these credential-based threats, implement the following remediation steps immediately:
1. Enforce Phishing-Resistant Multi-Factor Authentication (MFA)
Move beyond simple push notifications. Implement FIDO2 security keys or passkeys for high-privilege accounts and eventually all users. This makes stolen credentials useless to the attacker without the physical hardware key.
2. Implement Conditional Access Policies
Restrict access based on risk signals. Do not trust a login solely because the password is correct.
- Device Compliance: Require devices to be managed (Intune/MDM) and compliant before accessing corporate data.
- Location/Network: Block or heavily scrutinize logins from impossible travel locations or anonymous TOR IPs.
- Session Risk: Integrate signals that detect token theft and force re-authentication.
3. Deploy Token Protection
Enable "Continuous Access Evaluation" (CAE) in Microsoft Entra ID or similar features in other IdPs. This allows critical events (like a password reset or a user being deleted) to immediately revoke session tokens, rather than waiting for the token to naturally expire.
4. Secure Browser Environments
Implement enterprise browser management policies (e.g., Microsoft Edge for Business or Chrome Enterprise). Disable password saving in browsers for corporate accounts to reduce the attack surface for infostealers.
5. Example Conditional Access Policy (JSON)
Below is an example of a Conditional Access policy configuration (conceptual JSON) aimed at enforcing device compliance and MFA for sensitive apps.
{ "displayName": "Block Legacy Auth and Require Compliant Device", "state": "enabled", "conditions": { "clientAppTypes": ["all"], "applications": { "includeApplications": ["all"] }, "users": { "includeUsers": ["all"], "excludeUsers": ["service_principal_ids"] } }, "grantControls": { "operator": "OR", "builtInControls": ["mfa", "compliantDevice", "domainJoinedDevice"] } }
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
alert-fatiguetriagealertmonitorsoccredential-theftinfostealersidentity-securitymfa
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.