Access of Stored Browser Credentials
Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/04"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies.
13Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Access of Stored Browser Credentials"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = ["https://securelist.com/calisto-trojan-for-macos/86543/"]
25risk_score = 73
26rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
27severity = "high"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "macos" and event.type in ("start", "process_started") and
34 process.args :
35 (
36 "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data",
37 "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies",
38 "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies",
39 "/Users/*/Library/Cookies*",
40 "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite",
41 "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db",
42 "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json",
43 "Login Data",
44 "Cookies.binarycookies",
45 "key4.db",
46 "key3.db",
47 "logins.json",
48 "cookies.sqlite"
49 )
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1539"
57name = "Steal Web Session Cookie"
58reference = "https://attack.mitre.org/techniques/T1539/"
59
60[[rule.threat.technique]]
61id = "T1555"
62name = "Credentials from Password Stores"
63reference = "https://attack.mitre.org/techniques/T1555/"
64[[rule.threat.technique.subtechnique]]
65id = "T1555.003"
66name = "Credentials from Web Browsers"
67reference = "https://attack.mitre.org/techniques/T1555/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0006"
73name = "Credential Access"
74reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.
Read More
Related rules
- Access to Keychain Credentials Directories
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command
- Kerberos Cached Credentials Dumping
- Keychain Password Retrieval via Command Line