Detects suspicious access to browser session cookie storage (e.g., Chrome’s Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| TargetProcessList | Monitored browsers (e.g., chrome.exe, firefox.exe) |
| AccessToolList | Suspicious tools used for injection or memory access (e.g., mimikatz, procdump) |
| TargetCookiePaths | Locations of cookie stores like `AppData\Local\Google\Chrome\User Data\Default\Cookies` |
Detects access to known browser cookie files (e.g., ~/.mozilla/firefox/*.default/cookies.sqlite, ~/.config/google-chrome/) and suspicious reads of browser memory via /proc/[pid]/mem or ptrace.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open or read to browser cookie storage |
| Process Access (DC0035) | auditd:SYSCALL | ptrace syscall or access to /proc/*/mem |
| Field | Description |
|---|---|
| CookieFilePatterns | Regex paths to known browser cookie locations |
| TimeWindow | Correlated time range between cookie read and web upload or process injection |
| BrowserProcPatterns | Expected names for browser processes being accessed |
Detects unauthorized access to browser cookie paths (e.g., ~/Library/Application Support/Google/Chrome/Default/Cookies) or task_for_pid/vm_read calls to Safari/Chrome memory space.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | macos:unifiedlog | vm_read, task_for_pid, or file open to cookie databases |
| File Access (DC0055) | fs:fsusage | file open for known browser cookie paths |
| Field | Description |
|---|---|
| TargetBrowserList | List of processes considered web browsers on macOS |
| BrowserCookiePathList | Cookie database paths specific to each browser |
Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | RunMacro |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Field | Description |
|---|---|
| MacroTargetPath | Files or directories macros are attempting to access |
| HTTPDestinationIPList | List of IPs or domains that are uncommon for macro-based HTTP POSTs |
Detects use of session cookies or authentication tokens from unusual user agents or locations. Identifies token reuse without reauthentication or attempts to bypass MFA using previously stolen cookies.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:googleworkspace | login with reused session token and mismatched user agent or IP |
| Logon Session Creation (DC0067) | saas:okta | session.token.reuse |
| Field | Description |
|---|---|
| TokenReuseTimeWindow | Max allowed delta between token issuance and second use |
| UserAgentAnomalyScore | Deviation score from normal browser/device fingerprint |
| GeoLocationAnomalyScore | Deviation in IP region or ASN per user profile |