security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Access of Stored Browser Credentials (#2098)

Browse Source 
* audit update : added technique T1539 and excluded additional cookies path
This commit is contained in:
Mika Ayenson
2022-07-22 13:57:59 -04:00
committed by GitHub
parent 7ddae4b493
commit aaf9a708ae
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+7 -1
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/01/04"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/13"
[rule]
author = ["Elastic"]
@@ -32,6 +32,7 @@ process where event.type in ("start", "process_started") and
(
"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data",
"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies",
"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies",
"/Users/*/Library/Cookies*",
"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite",
"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db",
@@ -48,6 +49,11 @@ process where event.type in ("start", "process_started") and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1539"
name = "Steal Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1539/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"