credential_access_access_to_browser_credentials_procargs.toml

[metadata]
creation_date = "2020/01/04"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies.
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Access of Stored Browser Credentials"
references = ["https://securelist.com/calisto-trojan-for-macos/86543/"]
risk_score = 73
rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
severity = "high"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type in ("start", "process_started") and
  process.args :
    (
      "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", 
      "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", 
      "/Users/*/Library/Cookies*", 
      "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", 
      "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", 
      "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", 
      "Login Data",
      "Cookies.binarycookies", 
      "key4.db", 
      "key3.db", 
      "logins.json", 
      "cookies.sqlite"
    )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[[rule.threat.technique.subtechnique]]
id = "T1555.003"
name = "Credentials from Web Browsers"
reference = "https://attack.mitre.org/techniques/T1555/003/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"