
Summary
This detection rule identifies potential cookie theft attempts via debugging of Chromium-based browsers. Adversaries might use debugging features of browsers like Microsoft Edge and Google Chrome to access web application or Internet service session cookies, allowing unauthorized access without credentials. The rule monitors for indicating arguments related to remote debugging in the process command-line of specified browser executables. If any corresponding startup processes are detected that facilitate unauthorized cookie access, the rule will trigger an alert. The detection logic specifies that it looks for processes that start with debugging arguments, filtering out non-suspicious cases while noting possible false positives from legitimate developer activities.
Categories
- Endpoint
- Web
- Cloud
Data Sources
- Process
- Container
ATT&CK Techniques
- T1539
Created: 2020-12-21