IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Access of Stored Browser Credentials
editAccess of Stored Browser Credentials
editIdentifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Credential Access
Version: 1
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type in ("start", "process_started") and process.args : ( "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", "/Users/*/Library/Cookies*", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", "Login Data", "Cookies.binarycookies", "key4.db", "key3.db", "logins.json", "cookies.sqlite" )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Credentials from Password Stores
- ID: T1555
- Reference URL: https://attack.mitre.org/techniques/T1555/