From ed90f8eefca89c343e04a69e287c4c97a78ba16a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 9 Apr 2022 19:22:28 +0200
Subject: [PATCH] docs: reworked rule

---
 .../file_access_win_browser_credential_stealing.yml  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
index f0eeca908..b9fb94baa 100644
--- a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
@@ -1,11 +1,14 @@
-title: Browser Credential Stealing
+title: Browser Credential Store Access
 id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
 status: experimental
-description: Steals cookies and credentials from the user
+description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing
 references:
     - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
 author: frack113
 date: 2022/04/09
+tags:
+    - attack.t1003
+    - attack.credential_access
 logsource:
     category: file_access
     product: windows
@@ -34,9 +37,6 @@ detection:
         TargetFilename|endswith: '\APPDATA\LOCAL\MICROSOFT\WINDOWS\WEBCACHE\WEBCACHEV01.DAT'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - Very Probably
     - Antivirus, Anti-Spyware, Anti-Malware Software
+    - Backup software
 level: medium
-tags:
-    - attack.t1003
-    - attack.credential_access