Infostealers and Session Hijacking: Why Breach Monitoring Fails
Introduction
The recent analysis on why simple breach monitoring is no longer enough highlights a critical shift in the threat landscape: attackers are moving beyond credential stuffing to active session hijacking. Infostealers like RedLine, Vidar, and Lumma Stealer are harvesting valid session cookies at scale, allowing adversaries to bypass Multi-Factor Authentication (MFA) entirely.
Traditional breach monitoring relies on static lists of leaked credentials from past database dumps. However, a valid session cookie stolen minutes ago via malware won't appear on "Have I Been Pwned" for months, if ever. For SOC analysts and CISOs, this means the gap between compromise and detection is widening. Defenders must shift focus from passive monitoring to active, behavioral detection of infostealer activity on the endpoint.
Technical Analysis
The Threat Mechanism
Infostealers operate as information-grabbing malware, typically delivered via phishing attachments, malicious SEO (malvertising), or fake software cracks. Once executed on a victim machine, the malware performs the following:
- Process Injection: Often injects into a legitimate process (e.g.,
explorer.exeor a browser process) to evade detection and blend in. - Browser Data Enumeration: Scans for browser data storage directories. Modern browsers like Chrome, Edge, and Brave store session tokens, cookies, and saved passwords in SQLite databases (
Cookies,Login Data,Web Data) or LevelDB files. - Data Exfiltration: The malware reads these database files directly from the disk, often bypassing browser sandbox protections, and transmits the stolen data (JSON or encrypted payloads) to a Command and Control (C2) server.
Impact
The primary risk is Session Hijacking. By obtaining the session cookie, an attacker can impersonate the user without needing the password or passing MFA challenges. This grants access to corporate SaaS applications (O365, Salesforce, AWS), banking portals, and email accounts. Because the session is valid, simple IP-based geolocation blocks may fail if the attacker tunnels through a residential proxy (a common TTP of infostealers).
Exploitation Status
- Availability: Infostealer logs are widely traded on cybercrime forums (e.g., Genesis Market, Russian Market).
- Active Exploitation: Confirmed active exploitation globally, targeting industries across all sectors.
Detection & Response
Defending against infostealers requires detecting unauthorized access to browser storage files and anomalous process execution patterns.
SIGMA Rules
The following Sigma rules detect suspicious access to browser credential databases and processes masquerading as browsers to access sensitive memory regions.
---
title: Suspicious Browser Database Access
id: 4a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects non-browser processes accessing browser database files (Cookies, Login Data). This is a primary TTP of infostealers.
references:
- https://www.bleepingcomputer.com/news/security/why-simple-breach-monitoring-is-no-longer-enough/
author: Security Arsenal
date: 2025/04/07
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Cookies'
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Web Data'
- '\Microsoft\Edge\User Data\Default\Cookies'
- '\Mozilla\Firefox\Profiles\logins.'
filter_main_browsers:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
condition: selection and not filter_main_browsers
falsepositives:
- Legitimate password managers accessing browser stores
- Browser backup utilities
level: high
---
title: Potential Stealer Execution from AppData
id: 8b4d2e91-1f5c-4a78-bc23-4e6a9g012345
status: experimental
description: Detects executables running from user AppData or Temp directories with names resembling common tools or using double extensions often used in initial access.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/04/07
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
Image|endswith:
- '.exe'
CommandLine|contains:
- 'token'
- 'cookie'
- 'steal'
condition: selection
falsepositives:
- Legitimate software installers updating in user context
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt query identifies processes accessing the 'Cookies' or 'Login Data' files for Chrome or Edge, excluding the browser processes themselves.
DeviceProcessEvents
| where ActionType =~ "FileCreated" or ActionType =~ "FileAccessed"
| where TargetFileName has_any ("\\Google\\Chrome\\User Data\\Default\\Cookies", "\\Google\\Chrome\\User Data\\Default\\Login Data", "\\Microsoft\\Edge\\User Data\\Default\\Cookies")
| where not InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "explorer.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, TargetFileName, ActionType
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for processes that have opened handles to the SQLite database files used by Chrome to store credentials and cookies.
-- Hunt for processes accessing Chrome sensitive files
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Exe NOT IN ("C:\Program Files\Google\Chrome\Application\chrome.exe", "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")
AND CommandLine =~ 'cookies' OR CommandLine =~ 'login data'
Remediation Script (PowerShell)
Use this script on a potentially compromised host to identify recent modifications to browser data directories and terminate suspicious processes.
# Check for recent modifications to Chrome User Data (last 24 hours)
$UserPath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$CutoffTime = (Get-Date).AddHours(-24)
if (Test-Path $UserPath) {
Write-Host "Checking for recent browser DB modifications..." -ForegroundColor Yellow
Get-ChildItem -Path $UserPath -Recurse -Include "Cookies", "Login Data", "Web Data" -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $CutoffTime } |
Select-Object FullName, LastWriteTime, Length
}
# Identify non-signed processes running from Temp or AppData that are not Chrome/Edge
Write-Host "Checking for suspicious unsigned processes..." -ForegroundColor Yellow
Get-Process | Where-Object {
$_.Path -match 'AppData' -and
$_.MainWindowTitle -eq '' -and
$_.ProcessName -notin ('chrome.exe', 'msedge.exe', 'firefox.exe', 'explorer.exe')
} | Select-Object ProcessName, Path, StartTime, Id
Remediation
If an infostealer infection is suspected, immediate and decisive action is required:
- Isolate the Host: Disconnect the affected machine from the network immediately to prevent further exfiltration or C2 communication.
- Terminate Suspicious Processes: Kill any non-browser processes identified accessing
Login DataorCookiesfiles. - Revoke Sessions: Since the primary risk is session hijacking, simple password changes may not be sufficient if cookies are still valid. Administrators must revoke all active OAuth tokens and sessions for the affected user from the SaaS provider (O365 Admin Center, AWS Console, etc.).
- Credential Reset: Force a password reset for all accounts used on the compromised machine, ensuring the user does not reuse the compromised password.
- Investigate Persistence: Check for persistence mechanisms in
HKCU\Software\Microsoft\Windows\CurrentVersion\Runand scheduled tasks created at the time of infection. - User Education: Brief the user on the risks of downloading cracked software or unverified browser extensions, which remain the primary vectors for infostealers.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.