This detection rule monitors the usage of the 'sqlite' binary to access SQLite databases in Firefox and other Gecko-based web browsers. The rule aims to identify potentially malicious activities, such as data stealing, which may involve querying sensitive user data like cookies and browsing history stored in SQLite databases. By filtering process creation events specifically for 'sqlite.exe' or 'sqlite3.exe' instances that include command line arguments referring to 'cookies.sqlite' or 'places.sqlite', it aims to provide high-fidelity alerts for potentially malicious access patterns. Given the association with credential and collection tactics in the MITRE ATT&CK framework, this rule is crucial for strengthening endpoint defenses against unauthorized access to user data. False positives may occur, though currently, they are classified as 'Unknown'.