From 8eeadb9beb6b759db0c79b9f7731b4e4ec730481 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 3 Feb 2022 06:38:43 +0100
Subject: [PATCH] Add other browser

---
 ...data.yml => posh_ps_access_to_browser_login_data.yml} | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 rename rules/windows/powershell/powershell_script/{posh_ps_access_to_opera_login_data.yml => posh_ps_access_to_browser_login_data.yml} (71%)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_opera_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
similarity index 71%
rename from rules/windows/powershell/powershell_script/posh_ps_access_to_opera_login_data.yml
rename to rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
index 3d5a117de..b69efb221 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_access_to_opera_login_data.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
@@ -1,4 +1,4 @@
-title: Access to Opera Login Data
+title: Access to Browser Login Data
 id: fc028194-969d-4122-8abe-0470d5b8f12f
 status: experimental
 author: frack113
@@ -19,7 +19,12 @@ detection:
             - Copy-Item
             - '-Destination'
     selection_path:
-        ScriptBlockText|contains: '\Opera Software\Opera Stable\Login Data'
+        ScriptBlockText|contains: 
+            - '\Opera Software\Opera Stable\Login Data'
+            - '\Mozilla\Firefox\Profiles'
+            - '\Microsoft\Edge\User Data\Default'
+            - '\Google\Chrome\User Data\Default\Login Data'
+            - '\Google\Chrome\User Data\Default\Login Data For Account'
     condition: all of selection_*
 falsepositives:
     - Unknown