-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create win_security_access_to_browser_credential_files.yml #5057
Conversation
Hey @Koifman thanks for your contribution. Unfortunately a rule based on access is very prone to FP from third party apps, especially AV and backup software. For this, the rule has been moved to the hunting folder, reduced to low, and a pretty aggressive filter has been added. In addition to this the original logic contained a bit of overlap as the "contains" for example for "Cookies" will also cover "Cookies-journal" so they've been merged. Other locations for firefox have been added, and it is encouraged to add more. Another thing to keep in mind that i put a note on. the AccessMask 0x1 is only one case of the possible one. As an attacker can request a combined mask which will also allow him to read the files and it will not be equal to "0x1". As a final remark since this is your first PR. I highly suggest that when you take information from a blog that you do your due diligence and go a bit deeper to enhance the rule and provide great logic. Cheers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from the documentaion it is ProcessName not Image
rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml
Outdated
Show resolved
Hide resolved
…e_access_browser_credential.yml Co-authored-by: frack113 <[email protected]>
Thank you so much for taking the time to write this. I will take this as notes for any future potential additions. |
Summary of the Pull Request
Based on the post here: https://ipurple.team/2024/09/10/browser-stored-credentials/
Created a rule to detect read access operations on sensitive Chrome/Edge locations, where the process name is not a related browser process name.
Changelog
new: Access To Browser Credential Files By Uncommon Applications - Security
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions