KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious Tool Accessing Browser Cookies On Mac OS

Query

# *Suspicious Tool Accessing Browser Cookies on macOS*

## Query Information

### Category: Threat Hunting 

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1539 | Steal Web Session Cookie | https://attack.mitre.org/techniques/T1539 |
| T1552.001 | Unsecured Credentials: Credentials In Files | https://attack.mitre.org/techniques/T1552/001/ |


#### Description

This rule detects when a suspicious command-line tool (e.g., curl, python, bash) attempts to access browser cookie files on a macOS system. This activity could indicate an adversary attempting to steal web session cookies for unauthorized access.


#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

## Defender XDR
```KQL
let suspiciousTools = dynamic(["cp", "tar", "zip", "python", "python3",
    "curl", "scp", "ruby", "perl", "php", "node",
    "osascript", "bash", "sh", "zsh", "rsync"]);
let legitimateBrowsers = dynamic(["google chrome", "safari", "cfprefsd",
    "firefox", "brave browser", "microsoft edge"]);
let cookiePaths = dynamic([
    "/Cookies",         // Chrome, Edge, Brave 
    "cookies.sqlite",   // Firefox
    "Cookies.binarycookies" // Safari 
]);
DeviceProcessEvents
| where FolderPath has "macOS"
| where ProcessCommandLine has_any (cookiePaths)
| where ProcessCommandLine has_any (
    "/Google/Chrome/",
    "/Microsoft Edge/",
    "/BraveSoftware/Brave-Browser/",
    "/com.apple.Safari/",
    "/Firefox/Profiles/"
)
| where tolower(InitiatingProcessFileName) !in (legitimateBrowsers)
| where FileName in~ (suspiciousTools)
| project TimeGenerated, DeviceName, AccountName,
    FileName,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath, 
    ProcessCommandLine
```

Explanation

This query is designed for threat hunting on macOS systems to detect potentially suspicious activities involving the access of browser cookie files. Here's a simplified breakdown:

  1. Purpose: The query aims to identify when certain command-line tools, which are not typical web browsers, attempt to access browser cookie files. This could suggest an attempt to steal web session cookies, which can be used for unauthorized access.

  2. Tools Monitored: It looks for the use of command-line tools like curl, python, bash, and others that might be used maliciously to access cookie files.

  3. Browsers Considered Legitimate: It excludes processes initiated by legitimate browsers such as Google Chrome, Safari, Firefox, Brave, and Microsoft Edge from being flagged as suspicious.

  4. Cookie File Paths: The query checks for access to specific cookie file paths associated with these browsers, such as /Cookies for Chrome, cookies.sqlite for Firefox, and Cookies.binarycookies for Safari.

  5. Process Filtering: It filters out processes that are not initiated by legitimate browsers and are using the suspicious tools to access these cookie paths.

  6. Output: The query outputs details like the time of the event, device name, account name, the tool used, and the command line executed, which can help in further investigation.

Overall, this query helps security analysts detect and investigate potential attempts to steal web session cookies on macOS systems, which is a technique used by attackers to gain unauthorized access to user accounts.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 19, 2026

Tables

DeviceProcessEvents

Keywords

ThreatHuntingMacOSBrowserCookiesDevices

Operators

letdynamichashas_anytolowerinin~project

Actions