Improve browser stealer & add SQLite lib detection (#757)

* Improve regex for existing browser data gathering detection - Fix erroneous regex capture + Add detections for cookies gathering + Add generic browser detection (some webkit browser for some reason uses the same chromium-based paths?) Signed-off-by: Still Hsu <dev@stillu.cc> * Add rudimentary sqlite db libs detection - Typically used along with browser data collection Signed-off-by: Still Hsu <dev@stillu.cc> --------- Signed-off-by: Still Hsu <dev@stillu.cc>
mandiant · Aug 19, 2023 · 037ca83 · 037ca83
1 parent f73a8bc
commit 037ca83
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 13 deletions.
diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml
@@ -4,24 +4,29 @@ rule:
     namespace: collection/browser
     authors:
       - "@_re_fox"
-    scope: function
+      - still@teamt5.org
+    scope: file
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:
       - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039
+      - 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3
   features:
     - and:
       - or:
-        - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/
-        - string: /\\Opera Software\\Opera Stable\\Login Data/
+        - string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i
+        - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i
       - or:
-        - string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i
+        - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i
+        - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i
         - 2 or more:
-          - string: /date_created/i
-          - string: /username_element/i
-          - string: /username_value/i
-          - string: /password_element/i
-          - string: /origin_url/i
-          - string: /signon_realm/i
-          - string: /action_url/i
-          - string: /password_value/i
+          - substring: "date_created"
+          - substring: "encrypted_value"
+          - substring: "creation_utc"
+          - substring: "username_element"
+          - substring: "username_value"
+          - substring: "password_element"
+          - substring: "origin_url"
+          - substring: "signon_realm"
+          - substring: "action_url"
+          - substring: "password_value"
diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml
@@ -4,16 +4,18 @@ rule:
     namespace: collection/browser
     authors:
       - "@_re_fox"
+      - still@teamt5.org
     scope: function
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:
       - 7204e3efc2434012e13ca939db0d0b02:0x4073c0
+      - 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b
   features:
     - and:
       - 2 or more:
         - string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i
-        - string: /\\signons\.sqlite/i
+        - string: /\\(signons|cookies)\.sqlite/i
         - string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i
         - string: /FROM moz_(logins|cookies)/i
         - substring: "WHERE moz_cookies.host LIKE"

diff --git a/linking/static/sqlite3/linked-against-cppsqlite3.yml b/linking/static/sqlite3/linked-against-cppsqlite3.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: linked against CppSQLite3
+    namespace: linking/static/sqlite3
+    authors:
+      - still@teamt5.org
+    scope: file
+    examples:
+      - 253309d8b3675d3cc61d4bf23aa15d4b
+  features:
+    - and:
+      - substring: "CppSQLite3DB"
+      - substring: "CppSQLite3Query"
diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: linked against sqlite3
+    namespace: linking/static/sqlite3
+    authors:
+      - still@teamt5.org
+    scope: file
+    examples:
+      - 253309d8b3675d3cc61d4bf23aa15d4b
+  features:
+    - or:
+      - 3 or more:
+        - string: "database corruption"
+        - string: "SQLITE_OK"
+        - string: "SQLite format 3"
+        - string: "sqlite3_extension_init"
+        - substring: "cannot INSERT into generated column"
+        - substring: "UPSERT not implemented for virtual table"
+        - substring: "sqlite3_get_table()"
+        - substring: "qualified table names are not allowed on"