From 64b89e87e89994f76de7ed0ccc2ae66c0a31b91c Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 14:14:24 +0330 Subject: [PATCH 1/4] Add rule for detect browser information discovery --- ...ion_lnx_browser_information_discovery.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml diff --git a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml new file mode 100644 index 00000000000..13c7bedf77b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml @@ -0,0 +1,37 @@ +title: Detect Browser Information Discovery - Linux +id: 53f9703e-abc5-4eff-945e-2ab75c206c63 +status: test +description: Adversaries may enumerate information about browsers to learn more about compromised environments. + Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal + information about users (e.g., banking sites, relationships/interests, social media) and details about internal + network resources like servers, tools, dashboards, or other infrastructure. +references: + - https://attack.mitre.org/techniques/T1217/ +author: CheraghiMilad +date: 2024-12-08 +tags: + - attack.discovery + - attack.t1217 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/cat' + - '/ed' + - '/head' + - '/more' + - '/nano' + - '/tail' + - '/vi' + - '/vim' + - '/less' + CommandLine|contains: + - 'cert*.db' + - 'places.sqlite' + - 'cookies.sqlite' + - 'logins.json' + - 'prefs.js' + condition: selection +level: medium From 94b3f6dc00bbbb97b56e258c251b1cd8ceed75b4 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 10 Dec 2024 10:30:29 +0330 Subject: [PATCH 2/4] Some permalinks and images have been added --- ...c_creation_lnx_browser_information_discovery.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml index 13c7bedf77b..5366f6f6c23 100644 --- a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml +++ b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml @@ -1,12 +1,11 @@ -title: Detect Browser Information Discovery - Linux +title: Browser Information Discovery - Linux id: 53f9703e-abc5-4eff-945e-2ab75c206c63 status: test -description: Adversaries may enumerate information about browsers to learn more about compromised environments. - Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal - information about users (e.g., banking sites, relationships/interests, social media) and details about internal - network resources like servers, tools, dashboards, or other infrastructure. +description: Adversaries may enumerate information about browsers to learn more about compromised environments.Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media) and details about internal network resources like servers, tools, dashboards, or other infrastructure. references: - - https://attack.mitre.org/techniques/T1217/ + - https://medium.com/@jsaxena017/web-browser-forensics-part-2-firefox-browser-3dc6ef104607 + - https://renenyffenegger.ch/notes/development/web/browser/Firefox/profile-folder/index + - https://medium.com/@s12deff/steal-firefox-passwords-from-windows-linux-9d9a87906c7d author: CheraghiMilad date: 2024-12-08 tags: @@ -27,6 +26,7 @@ detection: - '/vi' - '/vim' - '/less' + - '/sqlite3' CommandLine|contains: - 'cert*.db' - 'places.sqlite' From d00711a45b93750c5e9d9b3c607185f3233ccde9 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 10 Dec 2024 10:31:17 +0330 Subject: [PATCH 3/4] change status --- .../proc_creation_lnx_browser_information_discovery.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml index 5366f6f6c23..f0a0e16bc37 100644 --- a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml +++ b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml @@ -1,6 +1,6 @@ title: Browser Information Discovery - Linux id: 53f9703e-abc5-4eff-945e-2ab75c206c63 -status: test +status: experimental description: Adversaries may enumerate information about browsers to learn more about compromised environments.Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media) and details about internal network resources like servers, tools, dashboards, or other infrastructure. references: - https://medium.com/@jsaxena017/web-browser-forensics-part-2-firefox-browser-3dc6ef104607 From 7c25e3fef0eec1ae98dab30294c8944aa944b405 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 17 Dec 2024 13:58:35 +0330 Subject: [PATCH 4/4] Chrome browser sensitive files were also added --- ...oc_creation_lnx_browser_information_discovery.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml index f0a0e16bc37..03b93a952c2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml +++ b/rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml @@ -1,13 +1,15 @@ title: Browser Information Discovery - Linux id: 53f9703e-abc5-4eff-945e-2ab75c206c63 status: experimental -description: Adversaries may enumerate information about browsers to learn more about compromised environments.Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media) and details about internal network resources like servers, tools, dashboards, or other infrastructure. +description: Detects reading of sensitive browser files. references: - https://medium.com/@jsaxena017/web-browser-forensics-part-2-firefox-browser-3dc6ef104607 - https://renenyffenegger.ch/notes/development/web/browser/Firefox/profile-folder/index - https://medium.com/@s12deff/steal-firefox-passwords-from-windows-linux-9d9a87906c7d + - https://www.systutorials.com/how-to-export-google-chrome-password-on-linux/ author: CheraghiMilad date: 2024-12-08 +modified: 2024-12-17 tags: - attack.discovery - attack.t1217 @@ -33,5 +35,12 @@ detection: - 'cookies.sqlite' - 'logins.json' - 'prefs.js' + - 'google-chrome/*/Bookmarks' + - 'google-chrome/*/Login Data' + - 'google-chrome/*/Cookies' + - 'google-chrome/*/Sessions' + - 'google-chrome/*/History' condition: selection +falsepositives: + - Since the file names of Chrome are not unique, I had to include the path "google-chrome" in the rule. If an attacker uses "cd google-chrome", the rule related to Chrome will be bypassed. level: medium