diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml new file mode 100644 index 000000000..36018c3c6 --- /dev/null +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/12/21" +maturity = "production" +updated_date = "2020/12/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt +to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain +access web applications or Internet services as an authenticated user without needing credentials. +""" +false_positives = ["Developers performing browsers plugin or extension debugging."] +from = "now-9m" +index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +max_signals = 33 +name = "Potential Cookies Theft via Browser Debugging" +references = [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e", +] +risk_score = 47 +rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started", "info") and + process.name in ( + "Microsoft Edge", + "chrome.exe", + "Google Chrome", + "google-chrome-stable", + "google-chrome-beta", + "google-chrome", + "msedge.exe") and + process.args : ("--remote-debugging-port=*", + "--remote-debugging-targets=*", + "--remote-debugging-pipe=*") and + process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"