F
Medium RiskWindowsLegitimateCommonly Abusedfirefox.exeWEB BROWSERfirefox.exe - Mozilla Firefox Browser Security Analysis
firefox.exe is the Mozilla Firefox web browser, a popular open-source browser. Attackers target Firefox for credential theft from stored passwords, browser hijacking via malicious extensions, and data exfiltration through the browser's network capabilities. Malware may also masquerade as firefox.exe or inject into its process.
Risk Summary
MEDIUM priority for SOC triage. firefox.exe is a legitimate browser that stores credentials and has extensive network access. Monitor for unexpected instances, unusual child processes (especially cmd.exe/powershell.exe), suspicious extensions, and profile data access outside normal browser operations.
Overview
What is firefox.exe?
firefox.exe is the main executable for Mozilla Firefox, an open-source web browser.
Core Functions
Web Browsing:
- Renders web pages
- Executes JavaScript
- Manages downloads
- Handles multimedia content
User Data Management:
- Stores passwords in logins.json (encrypted)
- Manages cookies and session data
- Stores browsing history
- Syncs data with Firefox Accounts
Security Significance
- Credential Storage: Encrypted password database
- Network Access: Legitimate outbound connections
- Extension System: Can be abused by malicious add-ons
- Profile Data: Valuable target for credential theft
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Mozilla Firefox\firefox.exe |
| Parent | explorer.exe (user launch) |
| Instances | Multiple (multi-process architecture) |
| User | Logged-in user |
| Network | HTTP/HTTPS traffic |
| Children | firefox.exe (content processes) |
Multi-Process Architecture
firefox.exe (main/parent)
├── firefox.exe (GPU process)
├── firefox.exe (content process 1)
├── firefox.exe (content process 2)
└── firefox.exe (extension process)
Profile Location
%APPDATA%\Mozilla\Firefox\Profiles\*.default-release\
├── logins.json (encrypted passwords)
├── key4.db (encryption key)
├── cookies.sqlite
└── places.sqlite (history/bookmarks)
Common Locations
C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Path: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: explorer.exe, firefox.exe
User: Logged-in user
Network: HTTPS to websites
Children: firefox.exe (content processes)
SUSPICIOUS
Path: C:\Users\Public\firefox.exe
C:\Temp\firefox.exe
Parent: cmd.exe, powershell.exe, wscript.exe
Children: cmd.exe, powershell.exe
Network: C2 destinations
Behavior: Accessing other user profiles
Warning Signs
| Indicator | Legitimate | Suspicious | Risk |
|---|---|---|---|
| Path | Program Files | Elsewhere | HIGH |
| Parent | explorer.exe | Script host | HIGH |
| Children | firefox.exe | cmd/powershell | CRITICAL |
| Profile Access | Own profile | Other profiles | HIGH |
Abuse Techniques
Attack Techniques
Technique #1: Credential Theft (T1555.003)
Targeting Firefox Passwords:
# Malware targets these files:
$profilePath = "$env:APPDATA\Mozilla\Firefox\Profiles\*.default*"
Copy-Item "$profilePath\logins.json" C:\exfil\
Copy-Item "$profilePath\key4.db" C:\exfil\
Tools Used:
- LaZagne
- Firefox Decrypt
- HackBrowserData
Technique #2: Malicious Extensions (T1176)
Extension-Based Attacks:
- Keyloggers disguised as extensions
- Form grabbers for credentials
- Browser history exfiltration
Detection:
# Check for suspicious extensions
Get-ChildItem "$env:APPDATA\Mozilla\Firefox\Profiles\*\extensions"
Technique #3: Process Injection (T1055)
Injecting into firefox.exe to:
- Intercept network traffic
- Steal credentials in memory
- Use browser as proxy
Technique #4: Process Masquerading (T1036.005)
Malware named firefox.exe in unexpected locations.
Detection Guidance
Detection Strategies
Priority #1: Unusual Child Processes
ParentProcess = "firefox.exe" AND
ChildProcess IN ["cmd.exe", "powershell.exe", "wscript.exe"]
→ ALERT: HIGH - Browser spawning shell
Sysmon Rule:
<RuleGroup groupRelation="and">
<ProcessCreate onmatch="include">
<ParentImage condition="end with">firefox.exe</ParentImage>
<Image condition="end with">cmd.exe</Image>
</ProcessCreate>
</RuleGroup>
Priority #2: Profile Data Access
Process != "firefox.exe" AND
FileAccess CONTAINS "Mozilla\Firefox\Profiles" AND
FileAccess CONTAINS ["logins.json", "key4.db"]
→ ALERT: CRITICAL - Credential theft attempt
Priority #3: Path Verification
Process = "firefox.exe" AND
Path NOT CONTAINS "Program Files"
→ ALERT: HIGH - Potential masquerading
PowerShell Check:
Get-Process firefox -ErrorAction SilentlyContinue | Where-Object {
$_.Path -notlike "*Program Files*"
} | ForEach-Object {
Write-Warning "Suspicious firefox.exe: $($_.Path)"
}
Remediation Steps
Protection and Remediation
Defense: Use Master Password
Enable Firefox Primary Password to encrypt credentials.
Defense: Extension Controls
Restrict extension installation via policies:
// policies.json
{
"policies": {
"ExtensionSettings": {
"*": {
"installation_mode": "blocked"
}
}
}
}
Defense: Profile Monitoring
Monitor access to Firefox profile directories.
If Compromise Suspected
- Check installed extensions
- Review profile for unauthorized access
- Change all stored passwords
- Clear cookies and sessions
- Check for injected DLLs
- Verify firefox.exe integrity
Investigation Checklist
Investigation Checklist
- Verify firefox.exe path is in Program Files
- Check for unusual child processes
- Review installed extensions
- Check for profile data access by other processes
- Examine network connections
- Review browser history for suspicious sites
- Check for DLL injection
- Validate file signature