-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve browser stealer & add SQLite lib detection #757
Improve browser stealer & add SQLite lib detection #757
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logic looks great, excited for the referenced file so we can merge this
thank you!
Signed-off-by: Still Hsu <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've added comments to make the linter happy.
collection/browser/gather-chrome-based-browser-login-information.yml
Outdated
Show resolved
Hide resolved
from the linter:
|
Ah right, oops, accidentally used substring instead of string. |
Now, we get this from the linter: |
Sorry for the stale PR - it looks like the linter passes the test locally for me though.
|
It doesn't match for me. The function doesn't contain the SELECT strings. Can you double check what's off? |
- Fix erroneous regex capture + Add detections for cookies gathering + Add generic browser detection (some webkit browser for some reason uses the same chromium-based paths?) Signed-off-by: Still Hsu <[email protected]>
- Typically used along with browser data collection Signed-off-by: Still Hsu <[email protected]>
Signed-off-by: Still Hsu <[email protected]>
Signed-off-by: Still Hsu <[email protected]>
Signed-off-by: Still Hsu <[email protected]>
Signed-off-by: Still Hsu <[email protected]>
Signed-off-by: Still Hsu <[email protected]>
da4afb4
to
4520523
Compare
After having a headache trying to figure out what went wrong for 30 minutes, finally figured out what was causing it to not match - it was due to the default scope the previous rule used, switching to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, thank you!
Summary
This PR adds detection for SQL statements related to cookie accesses, fixes one of the regexes, as well as adding rudimentary support for detection static sqlite3/cppsqlite3 lib linking. The relevant samples will be submitted to the test repo once I get the go ahead from the maintainers.