Skip to content

Commit

Permalink
Tweak regex & add sample offset
Browse files Browse the repository at this point in the history 
Signed-off-by: Still Hsu <[email protected]>
  • Loading branch information
@Still34
Still34 committed May 15, 2023
1 parent 99549e7 commit 7e45698
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
10 changes: 5 additions & 5 deletions collection/browser/gather-chrome-based-browser-login-information.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ rule:
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
examples:
- 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039
- 54390bda109aab7fc006b8b4ead5b6c2
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3
features:
- and:
- or:
- string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo|Webkit)\\User Data\\Default\\(Login Data|Cookies)/
- string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/
- substring: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i
- substring: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i
- or:
- string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i
- string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i
- substring: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i
- substring: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i
- 2 or more:
- string: /date_created/i
- string: /username_element/i
Expand Down
2 changes: 1 addition & 1 deletion collection/browser/gather-firefox-profile-information.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ rule:
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
examples:
- 7204e3efc2434012e13ca939db0d0b02:0x4073c0
- 54390bda109aab7fc006b8b4ead5b6c2:0x4b7d88
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b
features:
- and:
- 2 or more:
Expand Down

0 comments on commit 7e45698

Please sign in to comment.