From d490f345a76730c967dcd413ce1bfa6fb291a627 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Thu, 14 Feb 2019 00:09:44 -0600
Subject: [PATCH] T1005 Safari CookieMiner Test (#454)

* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Added Safari cookie search CookieMiner test
---
 atomics/T1005/T1005.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 atomics/T1005/T1005.yaml

diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml
new file mode 100644
index 00000000..c31e96cd
--- /dev/null
+++ b/atomics/T1005/T1005.yaml
@@ -0,0 +1,23 @@
+---
+attack_technique: T1005
+display_name: Data from Local System
+
+atomic_tests:
+- name: Search macOS Safari Cookies
+  description: |
+    This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    search_string:
+      description: String to search Safari cookies to find.
+      type: string
+      default: coinbase
+
+  executor:
+    name: sh
+    command: |
+      cd ~/Library/Cookies
+      grep -q "#{search_string}" "Cookies.binarycookies"