This case study documents a stealthy credential-harvesting technique in which the attacker used a lightweight binary (browserdump.exe) to extract stored credentials from browser cache files—specifically Chrome and Edge—without elevating privileges or triggering persistence indicators. The executable was launched from a writable public folder, avoided parent installer chains, and immediately interfaced with Login Data files stored in browser profile directories.

Key insights:

The IOC originated from an EDR alert detecting an unsigned binary in an unusual location performing credential-related file reads.

Triage followed the Host-Based Local Triage Protocol, leading to Layer 1 (Process Execution) and Layer 4 (Credential Management) system mapping.

Volatile memory inspection revealed in-memory artifacts from the decrypted credential cache, confirming successful extraction of sensitive data without modifying system persistence mechanisms.

No service creation, no registry keys, and no privilege escalation were observed—highlighting the low-noise, reconnaissance-driven nature of this tactic.

Attacker behavior aligned with credential validation operations—common in phishing follow-ups or APTs gauging target viability.

Defender actions included containment, memory capture, credential invalidation, and deployment of telemetry-based detection rules for access to browser cache directories.

This attack exemplifies how convenience features like saved logins become high-value targets and shows the importance of visibility into user-level behaviors. It also demonstrates the power of endpoint telemetry and memory inspection in confirming credential theft operations that bypass deeper system defenses.