From 7e456988e04452ce9bd5a83f102a5a800229dc03 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Mon, 15 May 2023 16:10:36 +0800 Subject: [PATCH] Tweak regex & add sample offset Signed-off-by: Still Hsu --- .../gather-chrome-based-browser-login-information.yml | 10 +++++----- .../browser/gather-firefox-profile-information.yml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index faafdf9eb..d82df0418 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -10,15 +10,15 @@ rule: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039 - - 54390bda109aab7fc006b8b4ead5b6c2 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3 features: - and: - or: - - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo|Webkit)\\User Data\\Default\\(Login Data|Cookies)/ - - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/ + - substring: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i + - substring: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i - or: - - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i - - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i + - substring: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i + - substring: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - string: /date_created/i - string: /username_element/i diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 6bab252ee..6e268da2b 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -10,7 +10,7 @@ rule: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 7204e3efc2434012e13ca939db0d0b02:0x4073c0 - - 54390bda109aab7fc006b8b4ead5b6c2:0x4b7d88 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b features: - and: - 2 or more: