sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Analytic for Signal Desktop sensitive data access

Open netgrain opened this issue 10 months ago • 0 comments

Summary of the Pull Request

Adds analytic for detecting access of Signal Desktops sensitive files containing message data, and key material used for encrypting- and decrypting said data. Multiple threat actors have targeted locally stored data in Signal, WhatsApp and Telegram in recent years.

See also: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

Changelog

  • new: File Access Of Signal Desktops Sensitive Data

Example Log Event

- System 
  - Provider 
   [ Name]  Microsoft-Windows-Security-Auditing 
   EventID 4663  
  - Execution 
   [ ProcessID]  4 
   [ ThreadID]  112 
   Channel Security 

- EventData 
  SubjectUserSid S-1-5-21-..
  SubjectUserName user1
  SubjectDomainName DOMAIN 
  ObjectServer Security 
  ObjectType File 
  ObjectName C:\Users\user1\AppData\Roaming\Signal\sql\db.sqlite 
  HandleId 0xa44 
  AccessList %%4416  
  AccessMask 0x1 
  ProcessId 0x2818
  ProcessName C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  ResourceAttributes S:AI

netgrain avatar Mar 03 '25 12:03 netgrain