From a4288bd52f6cb663f91ecd1b59d1dd287d16e237 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Thu, 11 May 2023 17:38:42 +0800 Subject: [PATCH 1/7] Improve regex for existing browser data gathering detection - Fix erroneous regex capture + Add detections for cookies gathering + Add generic browser detection (some webkit browser for some reason uses the same chromium-based paths?) Signed-off-by: Still Hsu --- .../gather-chrome-based-browser-login-information.yml | 9 ++++++--- .../browser/gather-firefox-profile-information.yml | 4 +++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index eb33bdf06..faafdf9eb 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -4,18 +4,21 @@ rule: namespace: collection/browser authors: - "@_re_fox" + - still@teamt5.org scope: function att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039 + - 54390bda109aab7fc006b8b4ead5b6c2 features: - and: - or: - - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/ - - string: /\\Opera Software\\Opera Stable\\Login Data/ + - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo|Webkit)\\User Data\\Default\\(Login Data|Cookies)/ + - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/ - or: - - string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i + - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i + - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - string: /date_created/i - string: /username_element/i diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 8b74721b0..3b263dbc2 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -4,16 +4,18 @@ rule: namespace: collection/browser authors: - "@_re_fox" + - still@teamt5.org scope: function att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 7204e3efc2434012e13ca939db0d0b02:0x4073c0 + - 54390bda109aab7fc006b8b4ead5b6c2 features: - and: - 2 or more: - string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i - - string: /\\signons\.sqlite/i + - string: /\\(signons|cookies)\.sqlite/i - string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i - string: /FROM moz_(logins|cookies)/i - substring: "WHERE moz_cookies.host LIKE" From a49a863d0fe75e70e8b878f9e259bda62ee46de6 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Thu, 11 May 2023 17:39:38 +0800 Subject: [PATCH 2/7] Add rudimentary sqlite db libs detection - Typically used along with browser data collection Signed-off-by: Still Hsu --- .../sqlite3/linked-against-cppsqlite.yml | 13 ++++++++++++ .../static/sqlite3/linked-against-sqlite3.yml | 20 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 linking/static/sqlite3/linked-against-cppsqlite.yml create mode 100644 linking/static/sqlite3/linked-against-sqlite3.yml diff --git a/linking/static/sqlite3/linked-against-cppsqlite.yml b/linking/static/sqlite3/linked-against-cppsqlite.yml new file mode 100644 index 000000000..9fe32ce62 --- /dev/null +++ b/linking/static/sqlite3/linked-against-cppsqlite.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: linked against CppSQLite3 + namespace: linking/static/sqlite3 + authors: + - still@teamt5.org + scope: file + examples: + - 253309d8b3675d3cc61d4bf23aa15d4b + features: + - and: + - substring: "CppSQLite3DB" + - substring: "CppSQLite3Query" \ No newline at end of file diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml new file mode 100644 index 000000000..f3ff78b26 --- /dev/null +++ b/linking/static/sqlite3/linked-against-sqlite3.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: linked against sqlite3 + namespace: linking/static/sqlite3 + authors: + - still@teamt5.org + scope: file + examples: + - 253309d8b3675d3cc61d4bf23aa15d4b + features: + - or: + - 3 or more: + - string: "database corruption" + - string: "SQLITE_OK" + - string: "SQLite format 3" + - string: "sqlite3_extension_init" + - substring: "cannot INSERT into generated column" + - substring: "UPSERT not implemented for virtual table" + - substring: "sqlite3_get_table()" + - substring: "qualified table names are not allowed on" \ No newline at end of file From 4f817a5428fc389bedaa98dd5184c4971228804a Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Thu, 11 May 2023 17:44:44 +0800 Subject: [PATCH 3/7] Lint rules Signed-off-by: Still Hsu --- linking/static/sqlite3/linked-against-cppsqlite.yml | 2 +- linking/static/sqlite3/linked-against-sqlite3.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linking/static/sqlite3/linked-against-cppsqlite.yml b/linking/static/sqlite3/linked-against-cppsqlite.yml index 9fe32ce62..43d3c5f6d 100644 --- a/linking/static/sqlite3/linked-against-cppsqlite.yml +++ b/linking/static/sqlite3/linked-against-cppsqlite.yml @@ -10,4 +10,4 @@ rule: features: - and: - substring: "CppSQLite3DB" - - substring: "CppSQLite3Query" \ No newline at end of file + - substring: "CppSQLite3Query" diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml index f3ff78b26..ee20789b4 100644 --- a/linking/static/sqlite3/linked-against-sqlite3.yml +++ b/linking/static/sqlite3/linked-against-sqlite3.yml @@ -17,4 +17,4 @@ rule: - substring: "cannot INSERT into generated column" - substring: "UPSERT not implemented for virtual table" - substring: "sqlite3_get_table()" - - substring: "qualified table names are not allowed on" \ No newline at end of file + - substring: "qualified table names are not allowed on" From 130cacdd35522fea1bf66eadef30783668207caf Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Mon, 15 May 2023 15:53:04 +0800 Subject: [PATCH 4/7] Rename rule & add offset for sample ref Signed-off-by: Still Hsu --- collection/browser/gather-firefox-profile-information.yml | 2 +- ...nked-against-cppsqlite.yml => linked-against-cppsqlite3.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename linking/static/sqlite3/{linked-against-cppsqlite.yml => linked-against-cppsqlite3.yml} (100%) diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 3b263dbc2..6bab252ee 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -10,7 +10,7 @@ rule: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 7204e3efc2434012e13ca939db0d0b02:0x4073c0 - - 54390bda109aab7fc006b8b4ead5b6c2 + - 54390bda109aab7fc006b8b4ead5b6c2:0x4b7d88 features: - and: - 2 or more: diff --git a/linking/static/sqlite3/linked-against-cppsqlite.yml b/linking/static/sqlite3/linked-against-cppsqlite3.yml similarity index 100% rename from linking/static/sqlite3/linked-against-cppsqlite.yml rename to linking/static/sqlite3/linked-against-cppsqlite3.yml From 622263985c81d30a91b5300281e4b946c49d2274 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Mon, 15 May 2023 16:10:36 +0800 Subject: [PATCH 5/7] Tweak regex & add sample offset Signed-off-by: Still Hsu --- .../gather-chrome-based-browser-login-information.yml | 10 +++++----- .../browser/gather-firefox-profile-information.yml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index faafdf9eb..d82df0418 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -10,15 +10,15 @@ rule: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039 - - 54390bda109aab7fc006b8b4ead5b6c2 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3 features: - and: - or: - - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo|Webkit)\\User Data\\Default\\(Login Data|Cookies)/ - - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/ + - substring: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i + - substring: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i - or: - - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i - - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i + - substring: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i + - substring: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - string: /date_created/i - string: /username_element/i diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 6bab252ee..6e268da2b 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -10,7 +10,7 @@ rule: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 7204e3efc2434012e13ca939db0d0b02:0x4073c0 - - 54390bda109aab7fc006b8b4ead5b6c2:0x4b7d88 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b features: - and: - 2 or more: From 8d4a0235de8d81ac28d3fed9620f503b407675f8 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Tue, 23 May 2023 15:47:33 +0800 Subject: [PATCH 6/7] Fix incorrect substring usage Signed-off-by: Still Hsu --- .../gather-chrome-based-browser-login-information.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index d82df0418..ecfd67518 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -14,11 +14,11 @@ rule: features: - and: - or: - - substring: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i - - substring: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i + - string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i + - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i - or: - - substring: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i - - substring: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i + - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i + - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - string: /date_created/i - string: /username_element/i From 45205231912ea4789d68f4e3e458102e8b203634 Mon Sep 17 00:00:00 2001 From: Still Hsu Date: Tue, 8 Aug 2023 22:00:01 +0800 Subject: [PATCH 7/7] Fix scope & update substring matching Signed-off-by: Still Hsu --- ...chrome-based-browser-login-information.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index ecfd67518..a2020985b 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -5,7 +5,7 @@ rule: authors: - "@_re_fox" - still@teamt5.org - scope: function + scope: file att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: @@ -20,11 +20,13 @@ rule: - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - - string: /date_created/i - - string: /username_element/i - - string: /username_value/i - - string: /password_element/i - - string: /origin_url/i - - string: /signon_realm/i - - string: /action_url/i - - string: /password_value/i + - substring: "date_created" + - substring: "encrypted_value" + - substring: "creation_utc" + - substring: "username_element" + - substring: "username_value" + - substring: "password_element" + - substring: "origin_url" + - substring: "signon_realm" + - substring: "action_url" + - substring: "password_value"