Update and rename proc_creation_win_sqlite_chrome_cookies.yml to proc_creation_win_sqlite_chromium_profile_data.yml

Updated to expand browser and database file coverage

rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml

@@ -1,28 +0,0 @@
-title: SQLite Chrome Cookie DB Access
-id: 24c77512-782b-448a-8950-eddb0785fc71
-status: experimental
-description: Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
-author: TropChaud
-date: 2022/12/19
-tags:
-    - attack.credential_access
-    - attack.t1539
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_sql:
-        - Product: SQLite
-        - Image|endswith:
-            - '\sqlite.exe'
-            - '\sqlite3.exe'
-    selection_chrome:
-        CommandLine|contains:
-            - '\Google\Chrome\User Data\Default\Network\Cookies' # Latest chrome versions
-            - '\Google\Chrome\User Data\Default\Cookies' # Older chrome versions
-    condition: all of selection_*
-falsepositives:
-    - Unknown
-level: high

rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml

@@ -0,0 +1,41 @@
+title: SQLite Chromium Profile Data DB Access
+id: 24c77512-782b-448a-8950-eddb0785fc71
+status: experimental
+description: Detect use of sqlite binary to query databases in Chromium-based browsers for potentially sensitive user profile data, and steal the data contained within them
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
+    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
+author: TropChaud
+date: 2022/12/19
+modified: 2023/01/19
+tags:
+    - attack.credential_access
+    - attack.t1539
+    - attack.t1555.003
+    - attack.collection
+    - attack.t1005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_sql:
+        - Product: SQLite
+        - Image|endswith:
+            - '\sqlite.exe'
+            - '\sqlite3.exe'
+    selection_chromium:
+        CommandLine|contains:
+            - '\User Data\' # Most common folder for user profile data among Chromium browsers
+            - '\Opera Software\' # Opera
+            - '\ChromiumViewer\' # Sleipnir (Fenrir)
+    selection_data:
+        CommandLine|contains:
+            - 'Login Data' # Passwords
+            - 'Cookies'
+            - 'Web Data' # Credit cards, autofill data
+            - 'History'
+            - 'Bookmarks'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high