Add rule for detect browser information discovery

rules/linux/process_creation/proc_creation_lnx_browser_information_discovery.yaml

@@ -0,0 +1,46 @@
+title: Browser Information Discovery - Linux
+id: 53f9703e-abc5-4eff-945e-2ab75c206c63
+status: experimental
+description: Detects reading of sensitive browser files.
+references:
+    - https://medium.com/@jsaxena017/web-browser-forensics-part-2-firefox-browser-3dc6ef104607
+    - https://renenyffenegger.ch/notes/development/web/browser/Firefox/profile-folder/index
+    - https://medium.com/@s12deff/steal-firefox-passwords-from-windows-linux-9d9a87906c7d
+    - https://www.systutorials.com/how-to-export-google-chrome-password-on-linux/
+author: CheraghiMilad
+date: 2024-12-08
+modified: 2024-12-17
+tags:
+    - attack.discovery
+    - attack.t1217
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '/cat'
+            - '/ed'
+            - '/head'
+            - '/more'
+            - '/nano'
+            - '/tail'
+            - '/vi'
+            - '/vim'
+            - '/less'
+            - '/sqlite3'
+        CommandLine|contains:
+            - 'cert*.db'
+            - 'places.sqlite'
+            - 'cookies.sqlite'
+            - 'logins.json'
+            - 'prefs.js'
+            - 'google-chrome/*/Bookmarks'
+            - 'google-chrome/*/Login Data'
+            - 'google-chrome/*/Cookies'
+            - 'google-chrome/*/Sessions'
+            - 'google-chrome/*/History'
+    condition: selection
+falsepositives:
+    - Since the file names of Chrome are not unique, I had to include the path "google-chrome" in the rule. If an attacker uses "cd google-chrome", the rule related to Chrome will be bypassed.
+level: medium