security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Access to Stored Browser Credentials (#3066)

Browse Source 
* Exclude FPs

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 6400bb3237)
This commit is contained in:
Colson Wilhoit
2023-10-27 15:10:09 -05:00
committed by github-actions[bot]
parent 2e0afa9aa9
commit e4e00ae8e1
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/31"
[rule]
author = ["Elastic"]
@@ -46,7 +46,8 @@ process where host.os.type == "macos" and event.type in ("start", "process_start
"key3.db",
"logins.json",
"cookies.sqlite"
)
) and
not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint"))
'''