Potential Cookies Theft via Browser Debugging

About

Tags

Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendData Source: Windows Security Event LogsData Source: SysmonLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Steal Web Session Cookie (T1539)(external, opens in a new tab or window)

False Positive Examples

Developers performing browsers plugin or extension debugging.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*logs-endpoint.events.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*

Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where event.type in ("start", "process_started", "info") and
  process.name in (
             "Microsoft Edge",
             "chrome.exe",
             "Google Chrome",
             "google-chrome-stable",
             "google-chrome-beta",
             "google-chrome",
             "msedge.exe") and
   process.args : ("--remote-debugging-port=*",
                   "--remote-debugging-targets=*",
                   "--remote-debugging-pipe=*") and
   process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0"