security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db54ea7467a6750fe2b59fc48375cf14ab3ca2cd
sigma-rules/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

63 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/21"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt
to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain
access web applications or Internet services as an authenticated user without needing credentials.
"""
false_positives = ["Developers performing browsers plugin or extension debugging."]
from = "now-9m"
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "Potential Cookies Theft via Browser Debugging"
references = [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e",
]
risk_score = 47
rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started", "info") and
process.name in (
"Microsoft Edge",
"chrome.exe",
"Google Chrome",
"google-chrome-stable",
"google-chrome-beta",
"google-chrome",
"msedge.exe") and
process.args : ("--remote-debugging-port=*",
"--remote-debugging-targets=*",
"--remote-debugging-pipe=*") and
process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1539"
name = "Steal Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1539/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink