Password Stores

Tags: Query: DeviceProcessEvents, DeviceInfo | where OSPlatform == "macOS" and ProcessCommandLine has_any ("/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", "/Users/*/Library/Cookies*", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", "Login Data","Cookies.binarycookies", "key4.db", "key3.db", "logins.json", "cookies.sqlite") ChatGPT generated Query: DeviceProcessEvents | where ProcessCommandLine matches regex @"(.*\/Users\/[^/]+\/Library\/Application Support\/Google\/Chrome\/Default\/Login Data|.*\/Users\/[^/]+\/Library\/Application Support\/Google\/Chrome\/Default\/Cookies|.*\/Users\/[^/]+\/Library\/Cookies.*|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/cookies\.sqlite|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/key.*\.db|.*\/Users\/[^/]+\/Library\/Application Support\/Firefox\/Profiles\/.*\.default\/logins\.json|Login Data|Cookies\.binarycookies|key4\.db|key3\.db|logins\.json|cookies\.sqlite)" References:

Explanation

Sure! Here's a simple summary of the query:

The query is searching through device process events and device information to find instances where the operating system is macOS and the command line of a process contains specific file paths or filenames related to browser data for Google Chrome and Firefox. These files include login data, cookies, and other sensitive information stored in the user's library directories.

In essence, it's looking for processes on macOS devices that are interacting with certain browser-related files that could contain sensitive user data.

KQL Search

Query

Explanation

Details

Actions