[metadata] creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Access of Stored Browser Credentials" note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : ( "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", "/Users/*/Library/Cookies*", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", "Login Data", "Cookies.binarycookies", "key4.db", "key3.db", "logins.json", "cookies.sqlite" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/"