From aaf9a708ae9fcae89a3e7e54602f3945b3e196cb Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 22 Jul 2022 13:57:59 -0400 Subject: [PATCH] [Rule Tuning] Access of Stored Browser Credentials (#2098) * audit update : added technique T1539 and excluded additional cookies path --- ...ial_access_access_to_browser_credentials_procargs.toml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 6f598bd5c..393a90ec6 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/07/13" [rule] author = ["Elastic"] @@ -32,6 +32,7 @@ process where event.type in ("start", "process_started") and ( "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", "/Users/*/Library/Cookies*", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", @@ -48,6 +49,11 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores"