diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
index 6f598bd5c..393a90ec6 100644
--- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/13"
 
 [rule]
 author = ["Elastic"]
@@ -32,6 +32,7 @@ process where event.type in ("start", "process_started") and
     (
       "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data",
       "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies",
+      "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies",
       "/Users/*/Library/Cookies*",
       "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite",
       "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db",
@@ -48,6 +49,11 @@ process where event.type in ("start", "process_started") and
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1539"
+name = "Steal Web Session Cookie"
+reference = "https://attack.mitre.org/techniques/T1539/"
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"