[EXP] The Shift to Behavioral and Identity-Driven Attacks and Why SIEM Detection Fails
Report Type
Threat Intelligence Assessment
Threat Category
Identity Intrusion Campaign
Social Engineering Initial Access
Remote Assistance Tool Abuse
Assessment Date
March 17, 2026
Primary Impact Domain
Enterprise Identity Security
Endpoint Remote Access Trust Boundaries
BLUF
Enterprise security monitoring is failing to detect modern attacks because SIEM detection models are built on static rules that do not align with behavior-driven and identity-based adversary tradecraft. Attackers now operate through valid credentials, trusted processes, and multi-stage activity that produces minimal traditional indicators, allowing them to evade signature-based detection. This shift toward behavioral and identity-driven intrusion creates systemic blind spots that enable prolonged unauthorized access and delayed response. Executive action must prioritize behavior-based detection, identity monitoring, and cross-telemetry correlation to reduce detection failure risk.
S2A Executive Risk Translation
The shift to identity-based and behavior-driven attacks allows adversaries to operate undetected within enterprise environments, increasing dwell time, amplifying breach impact, and elevating financial and regulatory exposure.
S3 Why This Matters Now
Enterprise environments have shifted toward cloud identity, SaaS platforms, and distributed authentication models where access is defined by valid credentials rather than perimeter controls. At the same time, attackers have shifted to behavioral and identity-driven techniques that blend into legitimate activity and avoid generating traditional indicators.
This convergence has created a structural detection gap where SIEM systems built for signature-based threats fail to detect modern multi-stage attack chains.
S4 Key Judgments
· Modern attacks have shifted to behavior-driven, multi-stage activity while SIEM rules remain event-driven and static.
· Identity-based attack paths such as valid account use bypass traditional detection logic.
· Detection failure is driven by architectural misalignment between SIEM design and modern attacker tradecraft.
· Effective detection requires correlation across email, endpoint, and network telemetry rather than isolated alerts.
· Alert fatigue and poor rule tuning reduce visibility into real attack signals.
S5 Executive Risk Summary
Modern attacks have shifted toward identity-based and behavior-driven activity that closely mimics legitimate user behavior, reducing the effectiveness of traditional SIEM rules. This shift allows malicious actions to blend into normal operations and bypass detection models built on static indicators and discrete event triggers.
As a result, adversaries can maintain persistence, escalate privileges, and access sensitive systems without detection, increasing the likelihood of operational disruption, data exposure, and extended incident response timelines.
S5A Estimated Probability of Recurrence (12-Month Horizon)
· Very high probability
· Driven by:
o Continued shift toward identity-based enterprise architectures
o Increasing use of behavior-driven and low-noise attacker tradecraft
o Widespread reliance on legacy SIEM detection models
S6 Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by undetected or late-detected intrusion activity caused by behavioral and identity-driven attacks that bypass SIEM detection:
· Limited incident scenario — Estimated cost range: $75,000 – $300,000
· Moderate incident scenario — Estimated cost range: $300,000 – $2,500,000
· Severe incident scenario — Estimated cost range: $2,500,000 – $25,000,000+
Key cost drivers
· Delayed detection increasing attacker dwell time
· Expanded incident response and forensic investigation scope
· Data exposure and regulatory compliance impact
· Operational disruption due to late-stage containment
S6A Compliance Exposure Indicator
· Risk Register Entry
o Risk Category: Detection failure due to identity-based and behavioral intrusion
o Business Impact: Undetected unauthorized access, increased breach severity, regulatory exposure
o Recommended Risk Owner: Chief Information Security Officer
· Compliance Exposure Indicator
o Detection failure may impact:
§ Continuous monitoring requirements
§ Detection and response obligations
§ Auditability of security controls
· Annualized Risk Exposure
o Estimated range: $300,000 – $2,500,000+
o Based on high recurrence probability and moderate incident cost scenarios
S7 Risk Drivers
· Shift toward behavior-driven and identity-based attack techniques
· Static and signature-based SIEM rule design
· Lack of multi-source telemetry correlation
· Alert fatigue caused by high false-positive volumes
· Fragmented visibility across cloud, endpoint, and network environments
· Absence of behavioral baselining and anomaly detection
S8 Bottom Line for Executives
Enterprise cyber risk is increasingly driven by a shift toward behavior-based and identity-driven attacks that traditional SIEM rules are not designed to detect. Organizations that rely on static detection models will continue to miss modern intrusion activity. Detection strategy must evolve toward behavioral analytics, identity monitoring, and cross-telemetry correlation.
S9 Board-Level Takeaway
The shift to behavior-based and identity-driven attacks requires a corresponding shift in detection strategy. Boards should ensure that detection engineering maturity, identity monitoring, and cross-system visibility are prioritized as core components of enterprise risk management.
S10 Threat Overview
Modern enterprise attacks have shifted toward behavior-driven and identity-based intrusion models that leverage valid credentials, trusted applications, and legitimate system processes. These attacks generate minimal traditional indicators and unfold across multiple stages that individually appear benign.
SIEM detection systems fail in this model because they rely on static rules, single-event logic, and isolated telemetry, preventing detection of coordinated multi-stage behavior. This creates a structural detection gap where attackers can operate undetected across the full attack lifecycle.
S11 Threat Classification
· Threat Type: Identity-driven intrusion with behavioral evasion
· Attack Model: Multi-stage, low-noise, identity-centric attack chain
· Detection Failure Type:
o Single-event rule dependency
o Lack of stateful detection across sessions
o Absence of identity context binding
o Lack of temporal and cross-source correlation
· Threat Category Alignment:
o Identity intrusion
o Initial access brokerage
o Stealth persistence and privilege abuse
S12 Exploit Status
· Exploitation is actively occurring across enterprise environments
· No dependency on software vulnerabilities; attacks rely on:
o Valid credentials
o User interaction and trust exploitation
o Misconfigured identity and access controls
· SIEM detection failure occurs when:
o Authentication events are evaluated in isolation
o Identity activity is not correlated with endpoint or network behavior
o Session and token activity is not monitored as part of a sequence
S13 Exploit Conditions Snapshot
· Successful phishing or credential harvesting event
· Legitimate authentication via identity provider
· Absence of behavioral anomaly detection on login activity
· Lack of session monitoring and token validation controls
· No correlation between:
o Authentication logs
o Endpoint process activity
o Network communication patterns
SIEM Failure Conditions
· Rules evaluate authentication, endpoint, and network events independently
· No stateful tracking of user sessions across time
· No linkage between identity events and downstream system activity
· Detection logic does not account for multi-stage attack progression
S14 Targeting and Sector Analysis
· Primary Targets:
o Organizations with cloud identity and SaaS dependency
o Enterprises with centralized logging but limited detection engineering maturity
· High-Value Sectors:
o Financial services
o Healthcare
o Technology and SaaS providers
o Government and public sector
o Retail and e-commerce
· Geographic Scope:
o Global targeting
o Concentration in North America and Europe
S15 Adversary Capability Profiling
· Capability Level:
o Low to Moderate per operator
o High at ecosystem level due to tooling standardization
· Infrastructure Maturity:
o Phishing-as-a-service platforms
o Credential harvesting kits with automated deployment
o Session hijacking frameworks targeting browser tokens
· Scalability:
o High due to automation and reuse of attack infrastructure
· Escalation Likelihood:
o High probability of transition to:
§ Privilege escalation
§ Data exfiltration
§ Ransomware enablement
S16 Targeting Probability Assessment
· Financial services:
o Very high probability due to direct monetization pathways
· Healthcare:
o High probability due to operational dependency and sensitive data
· Technology and SaaS:
o Very high probability due to identity-centric infrastructure
· Government:
o High probability due to access to sensitive systems
· Retail and e-commerce:
o Moderate to high probability due to credential reuse patterns
S17 Adversary Operational Objectives
· Credential harvesting for account takeover
· Session and token hijacking for persistent access
· Initial access brokerage for resale
· Data exfiltration for financial or intelligence value
· Enablement of follow-on intrusion such as ransomware
S17A Behavioral Zero-Day Detection Philosophy
Traditional SIEM detection models rely on known indicators and predefined rules, which fail against attacks that use legitimate credentials and trusted processes. Behavioral zero-day detection focuses on identifying deviations from normal activity patterns across multiple telemetry sources.
Detection model structure:
· Signal Layer
o Authentication anomalies
o Endpoint behavioral deviations
o Network communication irregularities
· Telemetry Layer
o Identity provider logs
o Endpoint process and memory telemetry
o DNS and web proxy logs
· Detection Logic Layer
o Behavioral baselining of user activity
o Detection of deviations from normal authentication patterns
o Correlation of identity, endpoint, and network signals
Key detection principle:
· Detection must identify sequences of abnormal behavior across time rather than isolated events
S17B Multi-Stage Anomaly Correlation Model
Modern attacks unfold as a sequence of low-noise activities that individually appear legitimate but collectively indicate malicious behavior. Effective detection requires structured correlation across telemetry sources and time.
Stage 1 – Initial Access and Credential Capture (T1566 – Phishing)
· Signal:
o Suspicious email interaction or credential submission
· Telemetry:
o Email gateway logs
Stage 2 – Authentication and Identity Abuse (T1078 – Valid Accounts)
· Signal:
o Anomalous login location, device, or session behavior
· Telemetry:
o Identity provider logs
Stage 3 – Endpoint Activity and Credential Access (T1555 – Credentials from Password Stores)
· Signal:
o Browser session access or abnormal process execution
· Telemetry:
o Endpoint process and memory telemetry
Stage 4 – Network Communication and Command Activity (T1071 – Application Layer Protocol)
Signal:
o Communication with newly registered or low-reputation domains
Telemetry:
o DNS and web proxy logs
Stage 5 – Persistence and Privilege Abuse (T1098 – Account Manipulation)
Signal:
o Role changes, abnormal access escalation, or policy modification
· Telemetry:
o Identity and access logs
Detection requirement:
· SIEM systems must correlate signals across all stages and telemetry sources
· Failure to correlate these stages results in missed detection despite observable indicators
S17C Infrastructure Intelligence
· Domain Patterns:
o Use of newly registered domains with short lifecycle
o Rapid domain rotation to evade reputation-based detection
· Hosting and ASN Patterns:
o Use of low-cost VPS providers with rapid provisioning
o Distributed hosting across multiple ASNs to avoid blocking
· SaaS Impersonation Infrastructure:
o Domains mimicking Microsoft, Google, Okta, and other identity providers
o Use of subdomain spoofing and brand impersonation techniques
· Certificate Patterns:
o Use of automated TLS certificates to enable trusted HTTPS communication
· Token and Session Abuse Infrastructure:
o Infrastructure designed to capture and reuse session cookies
o Use of redirect chains and proxying to maintain session validity
· Infrastructure Reuse:
o Reuse of phishing kits and backend panels across campaigns
o Shared infrastructure across multiple threat actors
S18 Attack Chain Overview
Modern identity-driven attacks follow a structured, multi-stage sequence aligned to behavioral intrusion patterns defined in Block 2. Each stage leverages legitimate systems and produces low-noise signals that appear benign when analyzed independently. SIEM detection fails because these behaviors are evaluated as isolated events without stateful correlation across identity, endpoint, and network telemetry. Effective detection requires mapping these behaviors as a continuous chain rather than discrete alerts.
S19 Initial Access
T1566 – Phishing
Attackers initiate intrusion through phishing campaigns that impersonate trusted SaaS and identity providers. These campaigns use credential harvesting pages, OAuth consent abuse, and HTML smuggling to capture authentication data.
· How it is used in this attack model: Delivers credential lures that initiate identity compromise and establishes the first stage of the behavioral attack chain
· Detection Gap: SIEM rules treat email events independently with no linkage between phishing interaction and subsequent authentication events
· Telemetry Dependency: Email gateway logs and URL interaction tracking
Figure 3
S20 Execution
T1204 – User Execution
Users interact with phishing content, submit credentials, or authorize malicious applications, enabling attackers to gain access without malware execution.
· How it is used in this attack model: Enables attacker access through legitimate user actions and removes dependency on exploit-based execution
· Detection Gap: Activity appears as normal user behavior without behavioral deviation detection
· Telemetry Dependency: Identity provider logs and email interaction telemetry
T1059 – Command and Scripting Interpreter
Attackers may execute scripts post-authentication to interact with the environment or automate actions.
· How it is used in this attack model: Supports post-authentication activity within trusted environments
· Detection Gap: Script execution occurs within legitimate processes without identity compromise context
· Telemetry Dependency: Endpoint process telemetry and script execution logs
S20A Adversary Tradecraft Summary
· Use of legitimate authentication flows to bypass exploit detection
· Elimination of malware dependency during initial access and execution
· Reliance on user interaction to enable intrusion
· Transition to identity-driven intrusion rather than system compromise
· Use of trusted platforms and protocols to maintain low detection visibility
S21 Persistence
T1098 – Account Manipulation
Attackers modify account attributes, roles, or authentication settings to maintain access.
· How it is used in this attack model: Establishes persistence through legitimate account changes
· Detection Gap: Treated as administrative activity without correlation to prior suspicious behavior
· Telemetry Dependency: Identity and access management logs
T1550 – Use of Authentication Tokens
Attackers reuse stolen session tokens or cookies to maintain access without reauthentication.
· How it is used in this attack model: Enables persistent access while avoiding credential reuse detection
· Detection Gap: Token reuse appears as valid session continuation without anomaly detection
· Telemetry Dependency: Session logs and authentication token telemetry
S22 Privilege Escalation and Full Attack Chain Expansion
T1078 – Valid Accounts (Privilege Abuse)
Attackers leverage compromised accounts to access higher-privilege resources.
· How it is used in this attack model: Enables lateral movement and deeper system access
· Detection Gap: Appears as legitimate user access without correlation to compromise indicators
· Telemetry Dependency: Identity logs and access control logs
T1036 – Masquerading (Defense Evasion)
Attackers operate using legitimate services and identities to blend with normal activity.
· How it is used in this attack model: Masks malicious actions within trusted environments
· Detection Gap: No detection without behavioral context
· Telemetry Dependency: Identity and endpoint logs
T1555 – Credentials from Password Stores (Credential Access)
Attackers access stored credentials in browsers or applications to expand access.
· How it is used in this attack model: Enables credential reuse across systems
· Detection Gap: Occurs within legitimate sessions without behavioral anomaly detection
· Telemetry Dependency: Endpoint telemetry and browser access logs
T1087 – Account Discovery (Discovery)
Attackers enumerate users, roles, and permissions to identify targets.
· How it is used in this attack model: Supports privilege escalation and lateral movement
· Detection Gap: Appears as normal administrative queries
· Telemetry Dependency: Identity and directory service logs
T1021 – Remote Services (Lateral Movement)
Attackers move across systems using valid credentials.
· How it is used in this attack model: Expands control across enterprise systems
· Detection Gap: Appears as legitimate remote access activity
· Telemetry Dependency: Network authentication logs and remote access logs
T1071 – Application Layer Protocol (Command and Control)
Attackers communicate with external infrastructure using standard protocols.
· How it is used in this attack model: Enables command execution and data exchange
· Detection Gap: Traffic appears as normal web communication
· Telemetry Dependency: DNS and web proxy logs
T1041 – Exfiltration Over C2 Channel (Exfiltration)
Attackers exfiltrate data using established communication channels.
· How it is used in this attack model: Enables data theft without triggering abnormal transfer alerts
· Detection Gap: Blends with normal outbound traffic
· Telemetry Dependency: Network traffic logs and data transfer monitoring
S23 Behavior and Log Artifacts
Identity-driven attacks generate low-noise behavioral signals across multiple telemetry sources that appear benign when viewed in isolation but become indicative of compromise when correlated.
· Email Telemetry Artifacts:
o User interaction with phishing links or embedded credential capture pages
o HTML smuggling artifacts and unusual attachment execution patterns
· Identity Telemetry Artifacts:
o Logins from new devices or geographies inconsistent with user baseline
o Session token reuse without corresponding authentication events
o OAuth consent grants or abnormal application authorization activity
· Endpoint Telemetry Artifacts:
o Browser access to credential stores or session data
o Abnormal parent-child process relationships tied to user sessions
o Script execution within trusted processes
· Network Telemetry Artifacts:
o Communication with newly registered or low-reputation domains
o DNS queries with low historical frequency
o Beaconing patterns over HTTPS
These artifacts individually lack sufficient confidence for alerting but collectively form a high-confidence detection signal when correlated.
S24 Detection Strategy
Effective detection requires a behavioral and identity-centric approach that correlates signals across telemetry sources rather than relying on static rule triggers.
· Correlate email interaction events with subsequent authentication anomalies
· Link authentication anomalies to endpoint activity within the same session context
· Correlate endpoint behavior with outbound network communication patterns
· Establish behavioral baselines for users, devices, and sessions
· Detect deviations across time and across telemetry sources
· Prioritize sequence-based detection aligned to S17B multi-stage model
· Integrate identity context into all detection logic to prevent isolated event analysis
S25 Ultra-Tuned Detection Engineering Rules
Credential Harvesting and Password Store Access
Suricata
Rule Name
CyberDax Credential Harvesting Infrastructure Access from User Workstations with Identity-Lure Pattern and Repeated Contact
Purpose
Provide corroborating network telemetry for likely credential-harvesting activity by identifying repeated outbound access from non-support workstation networks to suspicious identity-lure infrastructure while excluding approved enterprise identity providers, sanctioned SaaS authentication platforms, approved remote-access infrastructure, and known corporate authentication destinations.
ATT&CK Technique
· T1566 – Phishing
· T1555 – Credentials from Password Stores
Telemetry Dependency
· Egress HTTP inspection or TLS metadata visibility
· Defined user workstation subnet variables
· Defined support and administrative subnet variables
· Defined approved enterprise authentication destination variables
· Maintained suppression lists or destination scoping for:
o approved corporate SSO and IdP infrastructure
o sanctioned SaaS authentication providers
o known remote-access or secure access service infrastructure
· Optional, but strongly recommended:
o DNS novelty or first-seen enrichment from proxy or DNS pipeline
o destination reputation or domain-age enrichment
o TLS SNI visibility where available
Tuning Explanation
This rule is intentionally a corroborating detector, not a standalone primary credential-harvesting alert. It is designed to identify suspicious repeated access from standard user workstations to external infrastructure exhibiting identity-lure patterns consistent with phishing kits, credential collection portals, or fake enterprise login pages.
To keep noise low, this rule must not fire on:
· approved enterprise identity providers
· sanctioned third-party authentication portals already used by the organization
· approved remote-support or secure web gateway paths
· one-off benign browsing to pages containing generic login-related strings
This rule requires all of the following:
· source is a standard user workstation subnet
· destination is external and not in approved authentication ranges
· destination host or URI exhibits identity-lure characteristics
· repeated access from the same source within a bounded interval
It is strongest when correlated with:
· email or lure-delivery telemetry
· endpoint browser credential-store access
· downstream authentication anomalies
Detection Logic
· Detect outbound HTTP sessions from user workstation networks to external destinations
· Match destination host or URI patterns suggestive of credential lure infrastructure such as:
o login
o verify
o secure
o account
o session
o auth
· Exclude approved enterprise and sanctioned authentication infrastructure
· Require repeated access from the same source within a constrained interval to suppress accidental or one-off benign browsing
· Use only as corroborating evidence of credential-harvesting interaction
Operational Context
· Highest value in environments where workstation users should not repeatedly browse unknown external authentication-themed destinations
· Useful for triage of endpoints later exhibiting suspicious browser credential-store access or valid-account abuse
· Destination allowlists must be maintained before production deployment
· If egress inspection cannot provide meaningful host or URI context, this rule should not be treated as a final production detector
System-Ready Code
# Required local variables to be defined in local policy:
# var USER_WORKSTATIONS [10.20.0.0/16,10.30.0.0/16]
# var SUPPORT_NETS [10.10.10.0/24,10.10.20.0/24]
# var APPROVED_AUTH_NETS [20.190.128.0/18,52.96.0.0/12,34.64.0.0/10]
#
# Deploy only where inspected HTTP metadata is available.
pass http $SUPPORT_NETS any -> $APPROVED_AUTH_NETS any (
msg:"CYBERDAX allow approved support authentication traffic";
flow:established,to_server;
sid:5301002;
rev:1;
)
pass http $USER_WORKSTATIONS any -> $APPROVED_AUTH_NETS any (
msg:"CYBERDAX allow approved enterprise authentication traffic";
flow:established,to_server;
sid:5301003;
rev:1;
)
alert http $USER_WORKSTATIONS any -> $EXTERNAL_NET any (
msg:"CYBERDAX credential harvesting infrastructure access from user workstation";
flow:established,to_server;
http.host;
pcre:"/(login|verify|secure|account|session|auth).*(confirm|update|portal|check)?/Ui";
detection_filter:track by_src, count 5, seconds 120;
classtype:trojan-activity;
sid:5301001;
rev:1;
metadata:deployment Egress, confidence medium, attack_target Workstation;
)
SentinelOne
Rule Name
CyberDax Browser Password Store Access by Non-Browser Process with Suspicious Execution Context
Purpose
Detect likely credential harvesting by identifying access to browser password-store artifacts from non-browser processes executing in suspicious script, document, temporary-path, archive, or user-download contexts.
ATT&CK Technique
· T1555 – Credentials from Password Stores
Telemetry Dependency
· SentinelOne Deep Visibility process telemetry
· File access or file interaction visibility for password-store artifacts
· Parent-child process relationships
· Command-line visibility
· Endpoint naming, tagging, or grouping to distinguish support and administrative assets from standard user endpoints
· Optional, but recommended:
o maintenance-window exclusions
o executable signature or reputation metadata
o immediate follow-on network telemetry
o user classification allowing support-user suppression
Tuning Explanation
This is a primary Phase 1A endpoint analytic and is intentionally layered to remain low-noise.
It uses three gating controls:
1. Target validation
The rule scopes to browser password-store artifacts such as:
· Chrome or Chromium Login Data
· Edge Login Data
· equivalent browser password-store database paths
2. Process exclusion
The rule suppresses normal expected access by:
· supported browser processes
· sanctioned password managers
· approved support and administrative endpoint populations where justified locally
3. Suspicious execution-context requirement
The rule requires the accessing process to appear in suspicious execution context such as:
· Office or Outlook parent process
· script interpreter parent
· HTML application or rundll32-based launcher
· process executing from Temp or user Downloads
· process lineage associated with user-driven lure execution
This rule must not alert on browser self-access alone.
It is designed to detect:
· infostealer-style password-store scraping
· malicious credential export workflows
· document- or script-driven password-store access preceding valid-account abuse
Detection Logic
· Identify access to browser password-store files
· Require the accessing process to be outside the browser and password-manager allowlist
· Require suspicious process lineage or suspicious execution origin
· Exclude support and administrative asset populations
· Use optional correlation with immediate outbound network activity as investigation amplifier, not as a hard trigger
Operational Context
· Highest value on user workstations where non-browser access to browser password stores is rare
· Strong signal for credential scraping and password-store theft
· Severity should increase when paired with:
o suspicious external authentication-themed infrastructure access
o session artifact access
o downstream anomalous sign-ins
· If file-level visibility is missing or incomplete, the rule must not be treated as final production detection without local validation
System-Ready Code
(
FileFullName RegExp "(?i)\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Login Data$"
OR FileFullName RegExp "(?i)\\\\Microsoft\\\\Edge\\\\User Data\\\\.*\\\\Login Data$"
)
AND NOT TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND NOT TgtProcName RegExp "(?i)^(1password|lastpass|bitwarden|keepass)\\.exe$"
AND (
SrcProcName RegExp "(?i)^(winword|excel|powerpnt|outlook|acrord32|wscript|cscript|mshta|rundll32)\\.exe$"
OR TgtProcImagePath RegExp "(?i)\\\\AppData\\\\Local\\\\Temp\\\\"
OR TgtProcImagePath RegExp "(?i)\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\"
)
AND NOT EndpointName RegExp "(?i)^(HD-|HELPDESK-|IT-|SUPPORT-|SRV-IT-)"
AND NOT GroupName RegExp "(?i)(Helpdesk|IT Support|Desktop Support|Admin Workstations)"
AND NOT UserName RegExp "(?i)^(svc_|helpdesk|itadmin|support\\.)"
Splunk
Rule Name
CyberDax Unauthorized Browser Password Store Access with Thresholded Behavior and Investigation-Grade Context
Purpose
Detect likely credential harvesting by correlating repeated access to browser password-store artifacts by non-browser processes on non-support assets, preserving sufficient process and host context for rapid investigation and escalation.
ATT&CK Technique
· T1555 – Credentials from Password Stores
Telemetry Dependency
· Normalized endpoint file-access telemetry
· Normalized process execution telemetry
· Optional, but recommended:
o network telemetry for same-user or same-host outbound activity
o authentication telemetry for short-window downstream sign-in correlation
· Lookup tables:
o browser process allowlist
o password-manager allowlist
o support assets
o support users
o maintenance windows
o approved migration or administrative tooling where relevant
Tuning Explanation
This is a primary SIEM analytic for Phase 1A and is intentionally more conservative than a single file-path rule.
It requires:
· access to browser password-store paths
· by non-browser, non-password-manager processes
· on non-support populations
· exceeding a behavioral threshold within a short interval
This keeps the rule from firing on:
· isolated benign file access
· browser self-behavior
· support, migration, or administrative maintenance workflows
The rule is strongest when later enriched during investigation with:
· outbound network activity
· sensitive app access
· anomalous authentication behavior
Those enrichments are valuable, but they are not hard requirements for the primary detector because requiring them at rule time can unnecessarily suppress true positives.
Detection Logic
· Collect file-access events targeting browser password-store files
· Normalize process and user names to lower case
· Exclude approved browsers, approved password managers, support assets, support users, and maintenance windows
· Aggregate repeated accesses by host, user, and process in a bounded interval
· Alert only when access count exceeds threshold
· Preserve file path set, process list, and first/last seen times for triage
· Use downstream network or sign-in enrichment during investigation and risk escalation
Operational Context
· Intended for workstation populations where browser password-store access by non-browser processes should be uncommon
· High-value precursor to valid-account abuse and session-backed identity intrusion
· Low-noise when local allowlists and maintenance exceptions are maintained
· If file telemetry is low fidelity or sparse, do not treat this rule as final production detection without local validation
System-Ready Code
index=edr_logs
(file_path="*\\Login Data" OR file_path="*\\User Data\\*\\Login Data")
| eval process_name=lower(process_name), user=lower(user)
| lookup cyberdax_browser_process_allowlist process_name OUTPUT process_name as matched_browser
| lookup cyberdax_password_manager_allowlist process_name OUTPUT process_name as matched_pwmanager
| lookup cyberdax_support_assets asset as host OUTPUT asset as matched_asset
| lookup cyberdax_support_users user as user OUTPUT user as matched_user
| lookup cyberdax_maintenance_windows asset as host OUTPUT maintenance_active
| where isnull(matched_browser)
AND isnull(matched_pwmanager)
AND isnull(matched_asset)
AND isnull(matched_user)
AND (isnull(maintenance_active) OR maintenance_active!="true")
| bin _time span=10m
| stats count as access_count earliest(_time) as first_seen latest(_time) as last_seen values(file_path) as file_paths by host user process_name _time
| where access_count > 5
| eval risk_score=80
| table first_seen last_seen host user process_name file_paths access_count risk_score
Elastic
Rule Name
CyberDax Browser Password Store Access by Non-Browser or Browser-Masquerading Process with Suspicious Execution Context
Purpose
Detect likely credential harvesting by identifying access to browser password-store artifacts by unauthorized processes, including non-browser processes, browser-masquerading binaries, and trusted utilities executing in suspicious context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1036 – Masquerading
Telemetry Dependency
· Elastic Defend or equivalent endpoint file access telemetry
· Process execution telemetry
· Parent-child process visibility
· Process executable path visibility
· Host role or asset metadata identifying support or administrative systems
· Optional:
o code-signing or reputation metadata
o maintenance-window labels
o user-role enrichment
Tuning Explanation
This is a primary endpoint analytic for Phase 1A and is tuned to detect both classic password-store scraping and more modern variants that abuse trusted or browser-like process identity. It requires:
· access to browser password-store paths
· by either:
o a non-browser, non-password-manager process, or
o a browser-named process executing from an abnormal path, or
o a trusted utility commonly abused for credential access
· suspicious execution context through parent lineage or origin path
This suppresses:
· normal browser self-access
· sanctioned password managers
· support or admin workstation populations
· maintenance windows where locally modeled
This rule must not be reduced to any single access to Login Data without process and context validation.
Detection Logic
· Detect file access to browser password-store databases
· Match one of the following process conditions:
o process not in approved browser and password-manager set
o process name resembles browser but executable path is abnormal
o trusted utility name such as powershell, rundll32, wscript, cscript, mshta
· Require at least one suspicious context condition:
o Office, Outlook, PDF, script, HTA, or launcher parent
o Temp or Downloads execution origin
· Exclude support populations and maintenance windows before alerting
Operational Context
· Highest value on standard user Windows endpoints
· Strong signal for infostealer-style scraping, masquerade-assisted scraping, and trusted-binary abuse touching password stores
· Best escalated when paired with:
o suspicious lure infrastructure access
o downstream anomalous authentication
o repeated same-host access bursts
System-Ready Code
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{ "wildcard": { "file.path": "*\\Google\\Chrome\\User Data\\*\\Login Data" } },
{ "wildcard": { "file.path": "*\\Microsoft\\Edge\\User Data\\*\\Login Data" } }
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"bool": {
"must_not": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe","1password.exe","lastpass.exe","bitwarden.exe","keepass.exe"] } }
]
}
},
{
"bool": {
"must": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe"] } },
{
"bool": {
"must_not": [
{ "regexp": { "process.executable": ".*\\\\Program Files( \\(x86\\))?\\\\.*" } }
]
}
}
]
}
},
{ "terms": { "process.name": ["powershell.exe","pwsh.exe","cmd.exe","rundll32.exe","wscript.exe","cscript.exe","mshta.exe"] } }
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{ "terms": { "process.parent.name": ["winword.exe","excel.exe","powerpnt.exe","outlook.exe","acrord32.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","explorer.exe"] } },
{ "regexp": { "process.executable": ".*\\\\AppData\\\\Local\\\\Temp\\\\.*" } },
{ "regexp": { "process.executable": ".*\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\.*" } }
],
"minimum_should_match": 1
}
}
],
"must_not": [
{ "regexp": { "host.name": "(?i)^(HD-|HELPDESK-|IT-|SUPPORT-|SRV-IT-)" } },
{ "term": { "labels.maintenance_window": "true" } }
]
}
}
}
QRadar
Rule Name
CyberDax Browser Password Store Access by Unauthorized or Browser-Masquerading Process with Suspicious Execution Context
Purpose
Detect likely credential harvesting by identifying repeated access to browser password-store artifacts by unauthorized processes, browser-masquerading binaries, or trusted utilities on non-support endpoints when suspicious execution context is present.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1036 – Masquerading
Telemetry Dependency
· Endpoint file access logs normalized into QRadar
· Process creation or file access telemetry with:
o username
o hostname
o file path
o process name
o process path
o parent process or process path where available
· Reference sets:
o CYBERDAX_BROWSER_PROCESSES
o CYBERDAX_PASSWORD_MANAGER_PROCESSES
o CYBERDAX_SUPPORT_ASSETS
o CYBERDAX_SUPPORT_USERS
o CYBERDAX_MAINTENANCE_ASSETS
· Optional:
o CYBERDAX_TRUSTED_BROWSER_PATHS
Tuning Explanation
This is a primary SIEM analytic for Phase 1A and must not alert on a single benign file interaction. It requires:
· access to browser password-store paths
· by either:
o a non-browser, non-password-manager process
o a browser-named process executing outside approved browser paths
o a trusted utility commonly abused for scraping
· suspicious execution context
· at least 4 repeated events within 10 minutes
This rule suppresses:
· support assets
· support users
· maintenance assets
· approved browser and password-manager activity
Mandatory prerequisite:
QRadar must preserve file path, process identity, and ideally process path in normalized telemetry. If executable-path context is unavailable, browser-masquerade handling should be treated as partial rather than final coverage.
Detection Logic
· Building Block 1 identifies access to browser password-store files
· Building Block 2 identifies unauthorized, browser-masquerading, or trusted-abuse process patterns
· Building Block 3 identifies suspicious execution context
· Main CRE rule requires all three building blocks and repeated-event aggregation
· Main CRE rule suppresses support populations and creates an offense only when all conditions align
Operational Context
· Highest value where workstation file access telemetry is ingested
· Strong detector for password-store scraping prior to valid-account abuse
· Best escalated when correlated with suspicious lure infrastructure access, sign-in anomalies, or repeated host-user-process recurrence
Field Mapping Guidance
· File access fields may map as:
o File Path
o Target Filename
o Object Name
· Process fields may map as:
o Process Name
o Image
o Process
o Parent Process
o Command
o Process Path
· User fields may map as:
o Username
o User Name
o Log Source Username
· Host fields may map as:
o Destination Hostname
o Hostname
o Asset Hostname
System-Ready Code
Reference Set: CYBERDAX_BROWSER_PROCESSES
Reference Set: CYBERDAX_PASSWORD_MANAGER_PROCESSES
Reference Set: CYBERDAX_SUPPORT_ASSETS
Reference Set: CYBERDAX_SUPPORT_USERS
Reference Set: CYBERDAX_MAINTENANCE_ASSETS
Reference Set: CYBERDAX_TRUSTED_BROWSER_PATHS
Building Block: CYBERDAX_Browser_Password_Store_Access
when event category indicates file access
and file path matches one of:
*\Google\Chrome\User Data\*\Login Data
*\Microsoft\Edge\User Data\*\Login Data
Building Block: CYBERDAX_Unauthorized_Or_Masquerading_Process
when (
process name is not in CYBERDAX_BROWSER_PROCESSES
and process name is not in CYBERDAX_PASSWORD_MANAGER_PROCESSES
)
or (
process name is in CYBERDAX_BROWSER_PROCESSES
and process path is not in CYBERDAX_TRUSTED_BROWSER_PATHS
)
or (
process name is one of:
powershell.exe
pwsh.exe
cmd.exe
rundll32.exe
wscript.exe
cscript.exe
mshta.exe
)
Building Block: CYBERDAX_Suspicious_Context
when parent process indicates office, pdf, or script execution
or process path indicates Temp or Downloads execution
Rule: CYBERDAX Browser Password Store Access by Unauthorized or Browser-Masquerading Process
when BB:CYBERDAX_Browser_Password_Store_Access matches
and BB:CYBERDAX_Unauthorized_Or_Masquerading_Process matches
and BB:CYBERDAX_Suspicious_Context matches
and at least 4 matching access events occur by same destination hostname and username within 10 minutes
and destination hostname not in CYBERDAX_SUPPORT_ASSETS
and username not in CYBERDAX_SUPPORT_USERS
and destination hostname not in CYBERDAX_MAINTENANCE_ASSETS
then create offense
Severity: 8
Relevance: 8
Credibility: 8
Sigma
Rule Name
CyberDax Browser Password Store Access by Unauthorized or Browser-Masquerading Process
Purpose
Provide portable supporting detection for browser password-store access by unauthorized processes, browser-masquerading binaries, or trusted-abuse utilities in suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1036 – Masquerading
Telemetry Dependency
· Endpoint file access logs in a Sigma-compatible backend
· Process name and parent process visibility
· Execution path visibility or equivalent backend enrichment
· Optional maintenance-window and support-population enrichment
Tuning Explanation
This is a supporting detector, not a standalone primary analytic. It is intended for backends that can preserve:
· file path access
· process name
· parent process context or equivalent execution-origin context
· executable path where available
It should only be used where the backend can distinguish password-store access and suspicious process context reliably. It must not be deployed unchanged if:
· file access telemetry is absent
· both parent process visibility and execution-path context are missing
· support population suppression cannot be approximated
This rule intentionally requires suspicious context and includes optional browser-masquerade logic to improve coverage of recent variants.
Detection Logic
· Detect access to browser password-store files
· Exclude password managers
· Match either:
o non-browser process
o browser-named process from abnormal path
o trusted utility commonly abused for scraping
· Require either suspicious parent process or suspicious execution path context
· Forward matches to SIEM correlation and triage pipelines
Operational Context
· Useful as portable supporting content where endpoint file access telemetry exists
· Best used with stronger SIEM or EDR analytics
· Not intended to replace full primary detections
System-Ready Code
title: CyberDax Browser Password Store Access by Unauthorized or Browser-Masquerading Process
id: 9de24c43-0e7c-4ed8-8c8b-cyberdax-phase1a-pwstore-modern
status: experimental
description: Detects browser password-store access by unauthorized, browser-masquerading, or trusted-abuse processes with suspicious execution context.
logsource:
product: windows
category: file_access
detection:
selection_path:
TargetFilename|contains:
- '\Google\Chrome\User Data\'
- '\Microsoft\Edge\User Data\'
TargetFilename|endswith:
- '\Login Data'
filter_pwmanager:
Image|endswith:
- '\1password.exe'
- '\lastpass.exe'
- '\bitwarden.exe'
- '\keepass.exe'
selection_nonbrowser:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\acrord32.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
selection_exec_path:
Image|contains:
- '\AppData\Local\Temp\'
- '\Users\'
- '\Downloads\'
condition: selection_path and not filter_pwmanager and selection_nonbrowser and (selection_parent or selection_exec_path)
falsepositives:
- Approved administrative or migration tooling in environments without local suppression enrichment
level: high
tags:
- attack.t1555
- attack.t1036
YARA
Rule Name
CyberDax Browser Password Store Extraction or Export Artifact Heuristic with Modern Variant Coverage
Purpose
Support forensic triage by identifying scripts, binaries, or collected artifacts associated with browser password-store extraction, credential export, SQLite-style scraping, or browser-data theft workflows.
ATT&CK Technique
· T1555 – Credentials from Password Stores
Telemetry Dependency
· Endpoint forensic collections
· File triage workflows
· Incident response artifact review
· EDR file telemetry where available
Tuning Explanation
This rule is forensic and triage support only, not a primary prevention or real-time endpoint block. It is designed to identify artifacts associated with:
· browser password-store extraction
· credential database copying
· direct SQLite-based querying of browser credentials
· browser-data export workflows
To reduce noise, the rule requires multiple indicators rather than isolated generic strings. It should not be used as a standalone detector for normal browser data files.
Detection Logic
· Match combinations of strings associated with browser password stores, SQLite-style extraction, and credential export workflows
· Require multiple indicators before alerting
· Use during triage of compromised endpoints or staging directories
Operational Context
· Highest value during post-alert investigation of endpoints showing suspicious browser password-store access
· Useful for confirming credential harvesting or staging behavior after EDR or SIEM detections
· Not intended as a standalone production prevention control
System-Ready Code
rule CYBERDAX_Browser_Password_Store_Extraction_Artifact_Modern
{
meta:
description = "Heuristic for browser password-store extraction, SQLite scraping, or credential export artifacts"
author = "CyberDax Detection Engineering"
version = "1.1"
scope = "forensic triage"
strings:
$s1 = "Login Data" nocase
$s2 = "Web Data" nocase
$s3 = "Local State" nocase
$s4 = "password_value" nocase
$s5 = "logins" nocase
$s6 = "os_crypt" nocase
$s7 = "SELECT origin_url, username_value, password_value" nocase
$s8 = "sqlite3" nocase
$s9 = "AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" nocase
$s10 = "AppData\\\\Local\\\\Microsoft\\\\Edge\\\\User Data" nocase
condition:
4 of ($s*)
}
AWS
Rule Name
CyberDax Suspicious AWS Identity Validation or First-Seen Sensitive Action Following Credential Harvesting
Purpose
Detect attacker validation and early use of harvested credentials by identifying abnormal AWS identity activity, including first-seen sensitive actions and low-frequency validation behavior in abnormal context.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· AWS CloudTrail
· Events:
o ConsoleLogin
o AssumeRole
o GetCallerIdentity
o GetFederationToken
· Principal ARN, source IP, region, user agent
· Baseline models:
o IP by principal
o region by principal
o user agent by principal
o first-seen API usage by principal
· Watchlists:
o approved corporate ranges
o approved service principals
· Correlation dataset:
o Phase 1A recent principals with timestamp
Tuning Explanation
This rule is designed to detect both:
· low-and-slow validation behavior
· first-time sensitive actions in abnormal context
It requires:
· successful identity-related AWS activity
· abnormal context:
o new IP, region, or user agent
AND at least one of:
· first-ever sensitive action for the principal
· identity validation behavior following Phase 1A within a defined time window
· token or STS usage in abnormal context
· repeated validation attempts within short interval
This prevents reliance on threshold-only detection and improves coverage of stealth attackers.
Detection Logic
· Detect successful AWS identity-related events
· Exclude approved service principals and corporate ranges
· Identify abnormal context using baseline comparison
· Require at least one:
o first-seen sensitive action
o Phase 1A correlation within defined time window
o token-related validation activity
o repeated validation pattern
Operational Context
· High signal for early attacker validation after credential harvesting
· Captures both burst and low-and-slow behaviors
· Should be escalated when tied to endpoint Phase 1A detections within short time window
System-Ready Code
SELECT
eventtime,
useridentity.arn AS principal_arn,
sourceipaddress AS source_ip,
eventname,
useragent,
awsregion
FROM cloudtrail_logs
WHERE eventname IN ('ConsoleLogin','AssumeRole','GetCallerIdentity','GetFederationToken')
AND errorcode IS NULL
AND useridentity.arn NOT IN (SELECT principal FROM approved_service_principals)
AND sourceipaddress NOT IN (SELECT ip_or_range FROM approved_corporate_ranges)
AND (
sourceipaddress NOT IN (
SELECT ip FROM baseline_ip_by_principal WHERE principal = useridentity.arn
)
OR awsregion NOT IN (
SELECT region FROM baseline_region_by_principal WHERE principal = useridentity.arn
)
OR useragent NOT IN (
SELECT user_agent FROM baseline_user_agent_by_principal WHERE principal = useridentity.arn
)
)
AND (
eventname IN ('AssumeRole','GetFederationToken')
OR useridentity.arn IN (
SELECT principal FROM first_seen_sensitive_actions
)
OR useridentity.arn IN (
SELECT principal FROM recent_phase1a_principals
WHERE eventtime >= NOW() - INTERVAL '60 minutes'
)
OR useridentity.arn IN (
SELECT principal FROM repeated_identity_validation_window
)
);
Azure
Rule Name
CyberDax Suspicious Entra Sign-In or Token Validation with Device Context Mismatch Following Credential Harvesting
Purpose
Detect early attacker use of harvested credentials by identifying abnormal sign-in or token validation activity with device, IP, or session-context anomalies.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· Microsoft Entra SigninLogs
· Fields:
o UserPrincipalName
o IPAddress
o DeviceDetail
o UserAgent
o AppDisplayName
· Watchlists:
o approved IP ranges
o automation identities
· Optional:
o device trust state
o named locations
o Phase 1A correlation dataset
Tuning Explanation
This rule improves detection of:
· low-and-slow attacker validation
· token-based identity checks
· device-context mismatches
It requires:
· successful sign-in
AND:
· abnormal context:
o non-corporate IP
o new device
o uncommon user agent
AND at least one:
· Phase 1A correlation within defined time window
· repeated sign-in activity
· device mismatch or unmanaged device
· token-validation-like behavior
Detection Logic
· Detect successful sign-ins
· Exclude automation identities and approved IP ranges
· Evaluate device and client context
· Require abnormal context plus correlation or anomaly condition
Operational Context
· High signal for credential reuse following harvesting
· Captures both:
o interactive logins
o token validation patterns
· Particularly strong for identity-first attack paths
System-Ready Code
let ApprovedIPs = _GetWatchlist('cyberdax_approved_ip_ranges') | project SearchKey;
let AutomationAccounts = _GetWatchlist('cyberdax_automation_accounts') | project SearchKey;
let Phase1AUsers = _GetWatchlist('cyberdax_recent_phase1a_users') | project SearchKey;
SigninLogs
| where ResultType == 0
| where UserPrincipalName !in (AutomationAccounts)
| where IPAddress !in (ApprovedIPs)
| extend DeviceId = tostring(DeviceDetail.deviceId),
IsManaged = tostring(DeviceDetail.isManaged),
UA = tostring(UserAgent)
| summarize sign_in_count = count(),
first_seen = min(TimeGenerated),
last_seen = max(TimeGenerated)
by UserPrincipalName, IPAddress, DeviceId, IsManaged, UA, bin(TimeGenerated, 30m)
| extend phase1a = UserPrincipalName in (Phase1AUsers)
| where phase1a == true
or sign_in_count > 1
or IsManaged == "false"
GCP
Rule Name
CyberDax Suspicious GCP Identity Validation or First-Seen IAM Activity Following Credential Harvesting
Purpose
Detect early attacker use of harvested credentials by identifying abnormal identity validation or first-time IAM activity in GCP from unusual context.
ATT&CK Technique
· T1078 – Valid Accounts
· T1098 – Account Manipulation
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· GCP Cloud Audit Logs
· Principal email, caller IP, method name
· Baselines:
o IP by principal
o method usage by principal
· Watchlists:
o approved corporate ranges
o automation/service accounts
· Correlation dataset:
o Phase 1A recent principals
Tuning Explanation
This rule captures:
· first-time IAM behavior
· low-frequency validation
· token-generation patterns
It requires:
· authenticated activity
AND:
· abnormal context
AND at least one:
· first-seen method usage
· Phase 1A correlation within defined time window
· privileged IAM method
· repeated validation activity
Detection Logic
· Detect authenticated GCP activity
· Exclude approved ranges
· Identify abnormal source context
· Require first-time or sensitive method usage or Phase 1A correlation
Operational Context
· Strong signal for early attacker cloud pivot
· Detects both stealth validation and privilege escalation attempts
· Works best with baseline method usage tracking
System-Ready Code
SELECT
timestamp,
protopayload_auditlog.authenticationInfo.principalEmail AS principal_email,
protopayload_auditlog.methodName AS method_name,
protopayload_auditlog.requestMetadata.callerIp AS caller_ip
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE protopayload_auditlog.authenticationInfo.principalEmail IS NOT NULL
AND caller_ip NOT IN (
SELECT ip_or_range FROM `project.dataset.approved_corporate_ranges`
)
AND (
caller_ip NOT IN (
SELECT ip FROM `project.dataset.baseline_ip_by_principal`
WHERE principal = principal_email
)
)
AND (
method_name IN (
'GenerateAccessToken',
'GenerateIdToken',
'SetIamPolicy',
'CreateServiceAccountKey'
)
OR principal_email IN (
SELECT principal FROM `project.dataset.first_seen_methods`
)
OR principal_email IN (
SELECT principal FROM `project.dataset.recent_phase1a_principals`
WHERE timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 MINUTE)
)
);
Phase 1B-A — Credential Store Access Expansion (Local Artifacts Beyond Password Store)
Suricata
Rule Name
CyberDax Identity Lure Interaction with Suspicious Client Behavior Indicative of Credential Artifact Targeting
Purpose
Provide corroborating network telemetry for likely credential-harvesting activity by identifying repeated interaction with suspicious identity-lure infrastructure that commonly precedes local access to extended browser credential artifacts.
ATT&CK Technique
· T1566 – Phishing
· T1189 – Drive-by Compromise
Telemetry Dependency
· Egress HTTP inspection or high-fidelity proxy metadata
· DNS telemetry
· Newly observed or low-prevalence destination enrichment where available
· Defined approved enterprise authentication destinations
Tuning Explanation
This is a corroborating detector only and is not a direct credential-artifact-access rule. It is intentionally constrained to reduce generic POST or web-login noise. It requires:
· external destination not in approved enterprise authentication infrastructure
· identity-lure semantics in URI or host context
· repeated interaction from the same source within a short interval
This rule must not be treated as final production detection for Phase 1B-A without endpoint confirmation.
Detection Logic
· Detect repeated HTTP interaction to suspicious external identity-lure destinations
· Match URI or host semantics associated with login or auth collection behavior
· Exclude approved enterprise and sanctioned authentication infrastructure
· Use only as corroborating evidence when paired with endpoint artifact access
Operational Context
· Highest value where workstation users should not repeatedly contact unknown external authentication-themed destinations
· Best used to enrich SentinelOne and Splunk detections in this phase
System-Ready Code
# Required local variables:
# var USER_WORKSTATIONS [10.20.0.0/16,10.30.0.0/16]
# var APPROVED_AUTH_NETS [20.190.128.0/18,52.96.0.0/12,34.64.0.0/10]
pass http $USER_WORKSTATIONS any -> $APPROVED_AUTH_NETS any (
msg:"CYBERDAX allow approved enterprise authentication traffic";
flow:established,to_server;
sid:5412102;
rev:1;
)
alert http $USER_WORKSTATIONS any -> $EXTERNAL_NET any (
msg:"CYBERDAX suspicious identity lure interaction preceding credential artifact targeting";
flow:established,to_server;
http.uri;
pcre:"/(login|signin|verify|auth|account|session)/Ui";
detection_filter:track by_src, count 3, seconds 90;
classtype:trojan-activity;
sid:5412101;
rev:2;
metadata:deployment Egress, confidence medium, attack_target Workstation, role Corroborating, phase Phase1BA;
)
SentinelOne
Rule Name
CyberDax Browser Credential Artifact Access by Unauthorized, User-Space, or Trusted-Abuse Process with Suspicious Execution Context
Purpose
Detect likely credential harvesting by identifying access to browser credential-storage artifacts beyond the password store, including cookie databases, browser state files, and credential-related browser storage, when accessed by unauthorized processes, browser-masquerading binaries, or trusted utilities executing in suspicious context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· SentinelOne Deep Visibility file interaction or file access telemetry
· Process execution telemetry
· Parent-child process visibility
· Full process image path visibility
· Endpoint grouping or naming to distinguish support and administrative systems from standard user endpoints
· Optional but recommended:
o maintenance-window suppression
o signer or reputation metadata
o sanctioned migration or profile-sync tooling allowlists
o immediate follow-on network telemetry as investigation amplifier
Tuning Explanation
This is a primary Phase 1B-A endpoint analytic and requires:
· access to explicitly scoped browser credential-artifact paths rather than broad artifact-name matching alone
· by either:
o a non-browser, non-password-manager process
o a browser-named process executing from abnormal user-space or non-standard path
o a trusted utility commonly abused for scraping or export activity
· suspicious execution context through parent lineage or user-space execution origin
This rule is designed to detect:
· infostealer evolution beyond password-store-only access
· browser artifact scraping using trusted utilities
· browser-masquerading execution
· document-, archive-, or script-driven access to browser credential material
This rule must not alert on:
· normal browser self-access
· sanctioned password-manager activity
· expected support, migration, sync, or administrative workflows where locally modeled
· generic access to loosely named files without path scoping
Confidence should increase when:
· multiple credential artifacts are touched in a short interval
· access follows recent identity-lure or phishing-related execution
· the same process lineage later touches session artifacts or produces suspicious outbound traffic
Detection Logic
· Detect access to explicitly scoped browser credential-artifact paths such as:
o Chrome or Edge Cookies
o Chrome or Edge Local State
o Chrome or Edge Web Data
· Require one of the following process conditions:
o process is not an approved browser or password manager
o process name resembles a browser but executes from abnormal user-space or non-standard path
o process is a trusted utility commonly abused for scraping or export such as powershell, pwsh, cmd, rundll32, wscript, cscript, or mshta
· Require suspicious execution context through one or more of:
o Office, Outlook, PDF, script, or launcher parent
o execution from Temp or Downloads
o user-space browser-named executable outside expected install path
· Exclude support, admin, and maintenance populations before alerting
Operational Context
· Highest value on standard user workstations where non-browser access to browser credential artifacts is rare
· Strong signal for browser-data scraping that frequently precedes session-material targeting or downstream identity abuse
· Best escalated immediately when paired with:
o recent lure-infrastructure interaction
o repeated artifact touches by the same process
o downstream anomalous authentication
· If file interaction telemetry is incomplete or path fidelity is weak, this rule must not be treated as final production detection without local validation
System-Ready Code
(
FileFullName RegExp "(?i)\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Cookies$"
OR FileFullName RegExp "(?i)\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Local State$"
OR FileFullName RegExp "(?i)\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Web Data$"
OR FileFullName RegExp "(?i)\\\\Microsoft\\\\Edge\\\\User Data\\\\.*\\\\Cookies$"
OR FileFullName RegExp "(?i)\\\\Microsoft\\\\Edge\\\\User Data\\\\.*\\\\Local State$"
OR FileFullName RegExp "(?i)\\\\Microsoft\\\\Edge\\\\User Data\\\\.*\\\\Web Data$"
)
AND
(
(
NOT TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND NOT TgtProcName RegExp "(?i)^(1password|lastpass|bitwarden|keepass|migwiz|usmt)\\.exe$"
)
OR
(
TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND TgtProcImagePath RegExp "(?i)\\\\Users\\\\|\\\\ProgramData\\\\|\\\\Temp\\\\|\\\\AppData\\\\"
)
OR
TgtProcName RegExp "(?i)^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta)\\.exe$"
)
AND
(
SrcProcName RegExp "(?i)^(winword|excel|powerpnt|outlook|acrord32|7z|7za|winrar|rar|wscript|cscript|mshta|rundll32)\\.exe$"
OR TgtProcImagePath RegExp "(?i)\\\\AppData\\\\Local\\\\Temp\\\\"
OR TgtProcImagePath RegExp "(?i)\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\"
)
AND NOT EndpointName RegExp "(?i)^(HD-|HELPDESK-|IT-|SUPPORT-|SRV-IT-)"
AND NOT GroupName RegExp "(?i)(Helpdesk|IT Support|Desktop Support|Admin Workstations)"
AND NOT UserName RegExp "(?i)^(svc_|helpdesk|itadmin|support\\.)"
Splunk
Rule Name
CyberDax Unauthorized Browser Credential Artifact Access with Thresholded Behavior, High-Risk Process Gating, and Investigation-Grade Context
Purpose
Detect likely credential harvesting by identifying repeated or high-risk access to explicitly scoped browser credential artifacts by unauthorized, browser-masquerading, or trusted-abuse processes on non-support endpoints.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Normalized endpoint file-access telemetry
· Normalized process execution telemetry
· Parent-process visibility
· Process executable path visibility where available
· Lookup tables:
o cyberdax_browser_process_allowlist
o cyberdax_password_manager_allowlist
o cyberdax_support_assets
o cyberdax_support_users
o cyberdax_maintenance_windows
o cyberdax_trusted_browser_paths
o cyberdax_approved_migration_tools
· Optional but recommended:
o recent lure-infrastructure correlation
o downstream authentication enrichment
o signer or reputation metadata
Tuning Explanation
This is a primary SIEM analytic for Phase 1B-A and is intentionally stricter than the earlier draft.
It requires:
· access to explicitly scoped credential-artifact paths:
o Cookies
o Local State
o Web Data
· on non-support populations
· by one of the following:
o non-browser, non-password-manager process
o browser-named process executing outside trusted browser paths
o trusted utility commonly abused for scraping such as powershell, pwsh, cmd, rundll32, wscript, cscript, or mshta
· suspicious execution context through parent process or execution origin
The rule is designed to trigger on either:
· repeated artifact access above threshold in a bounded interval
· a single high-risk event where process class and context strongly indicate malicious scraping
This keeps the rule effective against both:
· burst scraping
· low-and-slow or single high-confidence access
This rule must not alert on:
· browser self-access
· password managers
· approved migration or maintenance workflows
· generic artifact-name matches without profile-path context
Detection Logic
· Collect file-access events targeting explicitly scoped browser credential-artifact paths
· Normalize process, parent process, user, and host fields
· Exclude approved browsers, password managers, support assets, support users, maintenance windows, and approved migration tooling
· Identify suspicious process classes:
o unauthorized non-browser access
o browser-named process outside trusted browser path
o trusted utility abuse
· Require suspicious execution context:
o lure-adjacent parent process
o or Temp / Downloads execution origin
· Aggregate repeated events by host, user, process, and parent process
· Alert on:
o repeated access above threshold
o or single high-risk event with strong malicious process and context combination
· Preserve path set, process set, timing, and risk basis for triage
Operational Context
· Intended for workstation fleets where access to browser credential artifacts by non-browser or abnormal browser processes should be rare
· Strong indicator of credential harvesting expansion and browser data scraping
· Best escalated when correlated with:
o recent identity-lure infrastructure access
o follow-on authentication anomalies
o later session-artifact access
· If file access telemetry is sparse, parent-process visibility is missing, or process path data is unavailable, do not treat this rule as final production detection without local validation
System-Ready Code
index=edr_logs
(
file_path="*\\Google\\Chrome\\User Data\\*\\Cookies"
OR file_path="*\\Google\\Chrome\\User Data\\*\\Local State"
OR file_path="*\\Google\\Chrome\\User Data\\*\\Web Data"
OR file_path="*\\Microsoft\\Edge\\User Data\\*\\Cookies"
OR file_path="*\\Microsoft\\Edge\\User Data\\*\\Local State"
OR file_path="*\\Microsoft\\Edge\\User Data\\*\\Web Data"
)
| eval process_name=lower(coalesce(process_name,Image,ProcessName))
| eval parent_process=lower(coalesce(parent_process,ParentImage,ParentProcessName))
| eval process_path=coalesce(process_path,ImagePath,process_executable)
| eval host=coalesce(host,computer,endpoint,asset)
| eval user=lower(coalesce(user,User,AccountName))
| lookup cyberdax_browser_process_allowlist process_name OUTPUT process_name as matched_browser
| lookup cyberdax_password_manager_allowlist process_name OUTPUT process_name as matched_pwmanager
| lookup cyberdax_support_assets asset as host OUTPUT asset as matched_asset
| lookup cyberdax_support_users user as user OUTPUT user as matched_user
| lookup cyberdax_maintenance_windows asset as host OUTPUT maintenance_active
| lookup cyberdax_approved_migration_tools process_name OUTPUT process_name as matched_migration
| eval suspicious_browser_path=if(match(process_name,"^(chrome|msedge|firefox|brave)\\.exe$") AND NOT like(process_path,"%Program Files%"),1,0)
| eval trusted_abuse=if(match(process_name,"^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta)\\.exe$"),1,0)
| eval nonbrowser_unauthorized=if(isnull(matched_browser) AND isnull(matched_pwmanager),1,0)
| eval suspicious_parent=if(match(parent_process,"^(winword|excel|powerpnt|outlook|acrord32|wscript|cscript|mshta|rundll32|7z|7za|winrar|rar)\\.exe$"),1,0)
| eval suspicious_exec_path=if(like(process_path,"%\\Temp\\%") OR like(process_path,"%\\Downloads\\%"),1,0)
| where isnull(matched_asset)
AND isnull(matched_user)
AND (isnull(maintenance_active) OR maintenance_active!="true")
AND isnull(matched_migration)
AND (nonbrowser_unauthorized=1 OR suspicious_browser_path=1 OR trusted_abuse=1)
AND (suspicious_parent=1 OR suspicious_exec_path=1)
| bin _time span=10m
| stats count as access_count earliest(_time) as first_seen latest(_time) as last_seen values(file_path) as file_paths values(process_path) as process_paths by host user process_name parent_process _time suspicious_browser_path trusted_abuse nonbrowser_unauthorized suspicious_parent suspicious_exec_path
| eval high_risk_single=if(access_count>=1 AND (trusted_abuse=1 OR suspicious_browser_path=1) AND suspicious_parent=1,1,0)
| where access_count > 3 OR high_risk_single=1
| eval risk_reason=case(high_risk_single=1,"single high-risk artifact access",access_count>3,"repeated credential artifact access")
| eval risk_score=case(high_risk_single=1,88,access_count>6,86,access_count>3,80,true(),75)
| table first_seen last_seen host user process_name parent_process file_paths process_paths access_count risk_reason risk_score
Elastic
Rule Name
CyberDax Unauthorized or Masquerading Process Access to Browser Credential Artifacts with Suspicious Execution Context
Purpose
Detect credential harvesting by identifying access to browser credential-storage artifacts such as Cookies, Local State, and Web Data by unauthorized processes, browser-masquerading binaries, or trusted utilities operating in suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Elastic Defend endpoint telemetry
· File access events with process linkage
· Process and parent process visibility
· Executable path visibility
· Host role or asset classification
· Optional:
o signer metadata
o maintenance window flags
o allowlists for migration tooling
Tuning Explanation
This is a primary detection rule and enforces:
· explicit browser credential artifact path access
· and one of:
o unauthorized non-browser process
o browser-named process executing from non-standard path
o trusted utility abuse
· and suspicious execution context
This rule avoids:
· browser self-access
· password manager activity
· generic file access noise
Detection Logic
· Match file access to:
o Chrome or Edge profile paths ending in Cookies, Local State, or Web Data
· Require:
o non-browser or masquerading or trusted utility
· Require:
o suspicious parent or user-space execution
Operational Context
· High-fidelity endpoint signal
· Detects modern infostealer behavior
· Should trigger immediate investigation
System-Ready Code
{
"query": {
"bool": {
"must": [
{
"regexp": {
"file.path": ".*(Google\\\\Chrome\\\\User Data|Microsoft\\\\Edge\\\\User Data).*(Cookies|Local State|Web Data)$"
}
},
{
"bool": {
"should": [
{
"bool": {
"must_not": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe","1password.exe","bitwarden.exe","keepass.exe","lastpass.exe"] } }
]
}
},
{
"bool": {
"must": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe"] } },
{ "regexp": { "process.executable": ".*\\\\Users\\\\|.*\\\\Temp\\\\|.*\\\\AppData\\\\|.*\\\\ProgramData\\\\" } }
]
}
},
{
"terms": {
"process.name": ["powershell.exe","pwsh.exe","cmd.exe","rundll32.exe","wscript.exe","cscript.exe","mshta.exe"]
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{ "terms": { "process.parent.name": ["winword.exe","excel.exe","outlook.exe","acrord32.exe","wscript.exe","mshta.exe","rundll32.exe","7z.exe","7za.exe","winrar.exe","rar.exe"] } },
{ "regexp": { "process.executable": ".*\\\\Temp\\\\|.*\\\\Downloads\\\\" } }
],
"minimum_should_match": 1
}
}
],
"must_not": [
{ "regexp": { "host.name": "(?i)^(IT-|HELPDESK-|SUPPORT-)" } }
]
}
}
}
QRadar
Rule Name
CyberDax Repeated Browser Credential Artifact Access by Unauthorized or Masquerading Process
Purpose
Detect repeated credential artifact access behavior indicative of browser data scraping by unauthorized processes or masquerading binaries under suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· File access logs
· Process telemetry
· Reference sets:
o browsers
o password managers
o support systems
o trusted paths
Tuning Explanation
This rule requires:
· credential artifact access
· and unauthorized or masquerading process
· and suspicious execution context
· and repetition threshold
This ensures:
· low noise
· high behavioral confidence
Detection Logic
· Build blocks:
o artifact path match
o process classification
o execution context
· Trigger when:
o 4 or more events within 10 minutes
· Exclude:
o support systems
o maintenance activity
System-Ready Code
Building Block: Credential Artifact Access
file path matches:
*\Chrome\User Data\*\Cookies
*\Chrome\User Data\*\Local State
*\Chrome\User Data\*\Web Data
*\Edge\User Data\*\Cookies
*\Edge\User Data\*\Local State
*\Edge\User Data\*\Web Data
Building Block: Suspicious Process
process NOT in browser or password manager
OR browser process NOT in trusted path
OR process IN (powershell.exe, pwsh.exe, cmd.exe, rundll32.exe, wscript.exe, cscript.exe, mshta.exe)
Building Block: Suspicious Context
parent process IN (winword.exe, excel.exe, outlook.exe, acrord32.exe, wscript.exe, mshta.exe, rundll32.exe, 7z.exe, 7za.exe, winrar.exe, rar.exe)
OR execution path IN Temp or Downloads
Rule:
IF all building blocks match
AND count >= 4 in 10 minutes by host+user
AND host NOT in support assets
THEN create offense
Sigma
Rule Name
CyberDax Browser Credential Artifact Access by Unauthorized, Masquerading, or Trusted-Abuse Process
Purpose
Portable detection for browser credential artifact access under suspicious execution context with variant-aware process classification.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· File access logs
· Process and parent visibility
· Execution path visibility
Tuning Explanation
This rule mirrors Elastic and QRadar logic:
· artifact path required
· and process classification
· and suspicious context
System-Ready Code
title: CyberDax Browser Credential Artifact Access by Unauthorized, Masquerading, or Trusted-Abuse Process
id: 4f8e2f1f-5e49-4d67-9f2b-cyberdax-phase1ba-artifacts-modern
status: experimental
description: Detects access to scoped browser credential artifacts by unauthorized, browser-masquerading, or trusted-abuse processes in suspicious execution context.
logsource:
product: windows
category: file_access
detection:
selection_path:
TargetFilename|contains:
- '\Chrome\User Data\'
- '\Edge\User Data\'
TargetFilename|endswith:
- '\Cookies'
- '\Local State'
- '\Web Data'
filter_pwmanager:
Image|endswith:
- '\1password.exe'
- '\lastpass.exe'
- '\bitwarden.exe'
- '\keepass.exe'
- '\migwiz.exe'
- '\usmt.exe'
selection_trusted_abuse:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_browser_named:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\brave.exe'
selection_exec_path:
Image|contains:
- '\Users\'
- '\Temp\'
- '\AppData\'
- '\ProgramData\'
- '\Downloads\'
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\acrord32.exe'
- '\7z.exe'
- '\7za.exe'
- '\winrar.exe'
- '\rar.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
condition: selection_path and not filter_pwmanager and ((selection_trusted_abuse or (not selection_browser_named)) or (selection_browser_named and selection_exec_path)) and (selection_parent or selection_exec_path)
falsepositives:
- Approved administrative, migration, or sync tooling in environments without local suppression enrichment
level: high
tags:
- attack.t1555
- attack.t1005
- attack.t1036
YARA
Rule Name
CyberDax Browser Credential Artifact Extraction or Export Heuristic with Scoped Workflow Indicators
Purpose
Support forensic triage by identifying scripts, binaries, or staged artifacts associated with extraction, copying, querying, or export of browser credential artifacts such as Cookies, Local State, and Web Data.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
Telemetry Dependency
· Endpoint forensic collections
· File triage workflows
· Incident response artifact review
· EDR file telemetry where available
Tuning Explanation
This rule is forensic and triage support only, not a primary prevention or real-time endpoint control. It is designed to identify likely browser credential-artifact scraping workflows by requiring a combination of:
· at least one artifact-path or browser-profile indicator
· at least one extraction, copy, or query indicator
· at least one supporting credential-storage indicator
This reduces false positives compared with simple artifact-name matching and better aligns the rule to the phase ideology of active artifact access or export rather than passive artifact presence.
Detection Logic
· Match browser credential-artifact paths or profile references
· Match scraping, copying, SQLite querying, or export workflow indicators
· Match supporting credential-storage indicators such as encrypted_value or os_crypt
· Require all three categories before alerting
Operational Context
· Highest value during post-alert investigation of hosts already showing suspicious artifact-access behavior
· Useful for confirming browser-data scraping or export intent after EDR or SIEM detections
· Not intended as a standalone production prevention control
System-Ready Code
rule CYBERDAX_Browser_Credential_Artifact_Extraction_Scoped
{
meta:
description = "Heuristic for scoped browser credential artifact extraction, query, or export workflows"
author = "CyberDax Detection Engineering"
version = "1.1"
scope = "forensic triage"
strings:
$path1 = "AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" nocase
$path2 = "AppData\\\\Local\\\\Microsoft\\\\Edge\\\\User Data" nocase
$artifact1 = "Cookies" nocase
$artifact2 = "Local State" nocase
$artifact3 = "Web Data" nocase
$action1 = "sqlite3" nocase
$action2 = "SELECT" nocase
$action3 = "copy" nocase
$action4 = "export" nocase
$support1 = "os_crypt" nocase
$support2 = "encrypted_value" nocase
$support3 = "profile.path" nocase
condition:
(1 of ($path*)) and (1 of ($artifact*)) and (1 of ($action*)) and (1 of ($support*))
}
AWS
Rule Name
CyberDax Suspicious AWS Identity Validation or First-Seen Sensitive Action Following Browser Credential Artifact Access
Purpose
Detect likely attacker use of harvested credentials after local browser credential-artifact access by identifying abnormal AWS identity-validation or early access-establishment activity from unusual principal context shortly after Phase 1B-A endpoint signals.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· AWS CloudTrail
· Successful events for:
o ConsoleLogin
o AssumeRole
o GetCallerIdentity
o GetFederationToken
· Principal identity, source IP, user agent, region
· Approved corporate egress allowlists
· Approved service or automation principal allowlists
· Baseline data for:
o known IP by principal
o known region by principal
o known user agent by principal
o first-seen sensitive action by principal
· Correlation dataset:
o recent Phase 1B-A principals with timestamp
Tuning Explanation
This rule is tightened to detect both:
· low-and-slow AWS identity validation
· first-time sensitive identity-establishing actions after browser credential-artifact access
It requires:
· successful AWS identity-related activity
· abnormal principal context such as:
o source IP not previously associated with the principal
o region not previously associated with the principal
o user agent not previously associated with the principal
· plus at least one of:
o recent Phase 1B-A endpoint correlation within 60 minutes
o first-seen sensitive action for that principal
o STS or token-validation activity in abnormal context
o repeated identity-validation behavior in a bounded interval
It must not be deployed as a generic non-corporate login rule.
Detection Logic
· Detect successful ConsoleLogin, AssumeRole, GetCallerIdentity, or GetFederationToken activity
· Exclude approved service principals and approved corporate ranges
· Require abnormal source, region, or user-agent context
· Require one or more:
o recent Phase 1B-A correlation
o first-seen sensitive action
o STS or token-validation activity
o repeated identity-validation behavior
Operational Context
· Highest value in environments using federated enterprise identities into AWS
· Strong signal when attackers pivot from local browser credential-artifact access into AWS validation or early privilege use
· If baseline IP, region, or user-agent modeling is unavailable, this rule must not be treated as final production detection without local adaptation
System-Ready Code
SELECT
eventtime,
useridentity.arn AS principal_arn,
sourceipaddress AS source_ip,
eventname,
useragent,
awsregion
FROM cloudtrail_logs
WHERE eventname IN ('ConsoleLogin','AssumeRole','GetCallerIdentity','GetFederationToken')
AND errorcode IS NULL
AND useridentity.arn NOT IN (
SELECT principal FROM approved_service_principals
)
AND sourceipaddress NOT IN (
SELECT ip_or_range FROM approved_corporate_ranges
)
AND (
sourceipaddress NOT IN (
SELECT ip FROM baseline_ip_by_principal
WHERE principal = useridentity.arn
)
OR awsregion NOT IN (
SELECT region FROM baseline_region_by_principal
WHERE principal = useridentity.arn
)
OR useragent NOT IN (
SELECT user_agent FROM baseline_user_agent_by_principal
WHERE principal = useridentity.arn
)
)
AND (
useridentity.arn IN (
SELECT principal
FROM recent_phase1ba_principals
WHERE seen_time >= NOW() - INTERVAL '60 minutes'
)
OR (eventname IN ('AssumeRole','GetFederationToken'))
OR (useridentity.arn, eventname) IN (
SELECT principal, action_name
FROM first_seen_sensitive_actions
)
OR useridentity.arn IN (
SELECT principal_arn
FROM repeated_identity_validation_window
WHERE validation_count > 1
)
);
Azure
Rule Name
CyberDax Suspicious Entra Identity Validation Following Browser Credential Artifact Access
Purpose
Detect likely attacker use of harvested credentials after local browser credential-artifact access by identifying abnormal successful Entra sign-ins or identity-validation behavior from unusual device, IP, or client context.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· Microsoft Entra SigninLogs
· Successful sign-in events
· User principal, source IP, device context, user agent, app context
· Watchlists for:
o approved corporate IP ranges
o approved automation identities
· Optional but strongly recommended:
o trusted or named-location suppression
o device trust state
o baseline or enrichment data for rare IP, device, or user-agent context
o correlation flag from recent Phase 1B-A endpoint detections
Tuning Explanation
This rule is tightened to detect:
· low-and-slow cloud identity validation
· rare unmanaged-device validation
· first-wave credential use after browser credential-artifact access
It requires:
· successful sign-in activity
· abnormal context such as:
o non-corporate source IP
o uncommon device
o unmanaged or untrusted device state
o uncommon user agent
· plus at least one of:
o recent Phase 1B-A endpoint correlation within 60 minutes
o repeated suspicious sign-ins in a bounded interval
o unmanaged-device or device-mismatch condition
o uncommon client context across multiple applications
It must not be deployed as a generic impossible-travel or generic unknown-device rule.
Detection Logic
· Detect successful Entra sign-ins
· Exclude approved corporate IP ranges and automation identities
· Summarize short-window activity by user, IP, device, user agent, and application count
· Require abnormal device or client context
· Require either recent Phase 1B-A correlation, repetition, device mismatch, or uncommon multi-app validation behavior
Operational Context
· Highest value where enterprise identities provide access to Microsoft cloud services
· Strong signal when attackers pivot from local browser credential-artifact access into Entra-backed services
· If trusted-location suppression is unavailable, equivalent IP suppression must be added before production deployment
System-Ready Code
let ApprovedIPs = _GetWatchlist('cyberdax_approved_ip_ranges') | project SearchKey;
let AutomationAccounts = _GetWatchlist('cyberdax_automation_accounts') | project SearchKey;
let Phase1BAUsers = _GetWatchlist('cyberdax_recent_phase1ba_users') | project SearchKey;
SigninLogs
| where ResultType == 0
| where UserPrincipalName !in (AutomationAccounts)
| where IPAddress !in (ApprovedIPs)
| extend DeviceId = tostring(DeviceDetail.deviceId),
IsManaged = tostring(DeviceDetail.isManaged),
UA = tostring(UserAgent)
| summarize sign_in_count = count(),
first_seen = min(TimeGenerated),
last_seen = max(TimeGenerated),
app_count = dcount(AppDisplayName),
apps = make_set(AppDisplayName)
by UserPrincipalName, IPAddress, DeviceId, IsManaged, UA, bin(TimeGenerated, 30m)
| extend phase1ba = UserPrincipalName in (Phase1BAUsers)
| where phase1ba == true
or sign_in_count > 1
or IsManaged == "false"
or app_count > 1
Deployment Note
· If approved IP watchlists are unavailable, substitute trusted-location or named-location suppression
· If device trust fields are unavailable, do not treat unmanaged-device logic as final production gating without local adaptation
· Missing device identity alone must not be treated as suspicious without correlation, repetition, or additional abnormal context
GCP
Rule Name
CyberDax Suspicious GCP Identity Validation or First-Seen IAM Activity Following Browser Credential Artifact Access
Purpose
Detect likely attacker use of harvested credentials after local browser credential-artifact access by identifying abnormal authenticated GCP identity-validation activity or first-seen IAM behavior from unusual principal context.
ATT&CK Technique
· T1078 – Valid Accounts
· T1098 – Account Manipulation
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· GCP Cloud Audit Logs
· Principal identity, caller IP, method name, project context
· Approved corporate IP allowlists
· Optional but strongly recommended:
o service account and automation allowlists
o baseline caller IP by principal
o first-seen method usage by principal
o repeated identity-validation modeling
o correlation with recent Phase 1B-A endpoint detections
Tuning Explanation
This rule is tightened to catch:
· low-and-slow GCP validation
· first-time IAM or identity-establishing behavior
· abnormal caller context after local browser credential-artifact access
It requires:
· authenticated GCP activity
· abnormal principal context such as:
o caller IP not previously associated with the principal
· plus at least one of:
o recent Phase 1B-A endpoint correlation within 60 minutes
o first-seen sensitive or validation-related method usage
o privileged IAM method usage
o repeated validation activity in abnormal context
This prevents the rule from becoming too generic while keeping it resilient against stealth cloud pivoting.
Detection Logic
· Detect authenticated GCP control-plane or identity-related activity
· Exclude approved corporate ranges
· Require abnormal principal context
· Require one or more:
o recent Phase 1B-A correlation
o first-seen method usage
o privileged IAM method
o repeated validation activity
Operational Context
· Highest value in organizations using federated enterprise identities into GCP
· Strong detector for early cloud pivoting after local browser credential-artifact access
· If baseline source or method modeling is unavailable, do not treat this as final production detection without local adaptation
System-Ready Code
SELECT
timestamp,
protopayload_auditlog.authenticationInfo.principalEmail AS principal_email,
protopayload_auditlog.methodName AS method_name,
protopayload_auditlog.requestMetadata.callerIp AS caller_ip,
resource.labels.project_id AS project_id
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE protopayload_auditlog.authenticationInfo.principalEmail IS NOT NULL
AND protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip_or_range FROM `project.dataset.approved_corporate_ranges`
)
AND (
protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip FROM `project.dataset.baseline_ip_by_principal`
WHERE principal = protopayload_auditlog.authenticationInfo.principalEmail
)
)
AND (
protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM `project.dataset.recent_phase1ba_principals`
WHERE seen_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 MINUTE)
)
OR (
protopayload_auditlog.authenticationInfo.principalEmail,
protopayload_auditlog.methodName
) IN (
SELECT principal, method_name
FROM `project.dataset.first_seen_methods`
)
OR protopayload_auditlog.methodName IN (
'SetIamPolicy',
'google.iam.admin.v1.CreateServiceAccountKey',
'google.iam.admin.v1.GenerateAccessToken',
'google.iam.admin.v1.GenerateIdToken',
'google.iam.credentials.v1.GenerateAccessToken',
'google.iam.credentials.v1.GenerateIdToken'
)
OR protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM `project.dataset.repeated_identity_validation_principals`
WHERE validation_count > 1
)
);
Phase 1B-B — Cookie Store Access and Early-Stage Interaction
Suricata
Rule Name
CyberDax Suspicious External Validation Traffic Following Likely Cookie-Store Interaction
Purpose
Provide corroborating network telemetry for early-stage session-artifact interaction by identifying suspicious outbound validation traffic to rare, newly observed, or low-prevalence destinations shortly after likely local cookie-store access activity.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1078 – Valid Accounts
· T1102 – Web Service Communication
Telemetry Dependency
· Egress HTTP inspection and or TLS SNI visibility
· DNS telemetry
· Rare-domain, first-seen, or low-prevalence enrichment where available
· Correlation capability with endpoint Phase 1B-B detections
Tuning Explanation
This is a corroborating detector only. It must not be used as a standalone session-abuse analytic. It is designed to catch early external validation behavior that frequently follows local cookie-store interaction. To remain low-noise, it requires:
· suspicious external destination characteristics
· repeated or burst-like access behavior
· correlation to recent endpoint cookie-store interaction where available
It must not alert on generic browser traffic alone.
Detection Logic
· Detect repeated outbound HTTP or TLS communication to suspicious external destinations
· Prefer destinations that are:
o rare in the environment
o newly observed
o low reputation
· Use only when tied to recent endpoint cookie-store interaction or investigation context
Operational Context
· Highest value when enriching SentinelOne or Splunk detections
· Useful for early external validation behavior before full token or session abuse
· Not intended to replace endpoint cookie-store access detection
System-Ready Code
# Required local variables:
# var USER_WORKSTATIONS [10.20.0.0/16,10.30.0.0/16]
# var APPROVED_AUTH_NETS [20.190.128.0/18,52.96.0.0/12,34.64.0.0/10]
pass tls $USER_WORKSTATIONS any -> $APPROVED_AUTH_NETS any (
msg:"CYBERDAX allow approved enterprise authentication traffic";
flow:established,to_server;
sid:5413202;
rev:1;
)
alert tls $USER_WORKSTATIONS any -> $EXTERNAL_NET any (
msg:"CYBERDAX suspicious external validation traffic following likely cookie interaction";
flow:established,to_server;
tls.sni;
detection_filter:track by_src, count 4, seconds 120;
classtype:trojan-activity;
sid:5413201;
rev:2;
metadata:deployment Egress, confidence medium, attack_target Workstation, role Corroborating, phase Phase1BB;
)
SentinelOne
Rule Name
CyberDax Browser Cookie Store Access by Unauthorized, User-Space, or Trusted-Abuse Process with Suspicious Execution Context
Purpose
Detect early-stage session-artifact interaction by identifying access to explicitly scoped browser cookie-store artifacts by unauthorized processes, browser-masquerading binaries, or trusted utilities executing in suspicious context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· SentinelOne Deep Visibility file interaction or file access telemetry
· Process execution telemetry
· Parent-child process visibility
· Full process image path visibility
· Endpoint grouping or naming to distinguish support and administrative systems from standard user endpoints
· Optional but recommended:
o maintenance-window suppression
o sanctioned sync or migration tooling allowlists
o signer or reputation metadata
o immediate follow-on network telemetry as investigation amplifier
Tuning Explanation
This is the primary Phase 1B-B endpoint analytic and is intentionally stricter than the initial draft. It requires:
· access to explicitly scoped browser cookie-store paths
· by either:
o a non-browser, non-password-manager process
o a browser-named process executing from abnormal user-space or non-standard path
o a trusted utility commonly abused for scraping or export activity
· suspicious execution context through parent lineage or user-space execution origin
This rule is designed to detect:
· direct cookie-store scraping
· script-driven browser cookie interaction
· browser-masquerading access
· document-, archive-, or launcher-driven cookie-store access
This rule must not alert on:
· normal browser self-access
· sanctioned password-manager activity
· expected support, sync, migration, or administrative workflows where locally modeled
· generic access to loosely named files without profile-path scoping
Detection Logic
· Detect access to explicitly scoped browser cookie-store paths such as:
o Chrome Cookies
o Edge Cookies
o Firefox cookies.sqlite
· Require one of the following process conditions:
o process is not an approved browser or password manager
o process name resembles a browser but executes from abnormal user-space or non-standard path
o process is a trusted utility commonly abused for scraping or export such as powershell, pwsh, cmd, rundll32, wscript, cscript, or mshta
· Require suspicious execution context through one or more of:
o Office, Outlook, PDF, archive, script, or launcher parent
o execution from Temp or Downloads
o user-space browser-named executable outside expected install path
· Exclude support, admin, and maintenance populations before alerting
Operational Context
· Highest value on standard user workstations where non-browser access to cookie stores is rare
· Strong signal for early session-artifact interaction before later token or session-material abuse
· Best escalated immediately when paired with:
o recent lure-infrastructure interaction
o repeated cookie-store touches
o suspicious external validation traffic
· If file interaction telemetry is incomplete or path fidelity is weak, this rule must not be treated as final production detection without local validation
System-Ready Code
(
FileFullName RegExp "(?i)\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Cookies$"
OR FileFullName RegExp "(?i)\\\\Microsoft\\\\Edge\\\\User Data\\\\.*\\\\Cookies$"
OR FileFullName RegExp "(?i)\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\cookies\\.sqlite$"
)
AND
(
(
NOT TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND NOT TgtProcName RegExp "(?i)^(1password|lastpass|bitwarden|keepass|migwiz|usmt)\\.exe$"
)
OR
(
TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND TgtProcImagePath RegExp "(?i)\\\\Users\\\\|\\\\ProgramData\\\\|\\\\Temp\\\\|\\\\AppData\\\\"
)
OR
TgtProcName RegExp "(?i)^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta)\\.exe$"
)
AND
(
SrcProcName RegExp "(?i)^(winword|excel|powerpnt|outlook|acrord32|7z|7za|winrar|rar|wscript|cscript|mshta|rundll32)\\.exe$"
OR TgtProcImagePath RegExp "(?i)\\\\AppData\\\\Local\\\\Temp\\\\"
OR TgtProcImagePath RegExp "(?i)\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\"
)
AND NOT EndpointName RegExp "(?i)^(HD-|HELPDESK-|IT-|SUPPORT-|SRV-IT-)"
AND NOT GroupName RegExp "(?i)(Helpdesk|IT Support|Desktop Support|Admin Workstations)"
AND NOT UserName RegExp "(?i)^(svc_|helpdesk|itadmin|support\\.)"
Splunk
Rule Name
CyberDax Cookie Store Access with Suspicious Process Context and Early External Validation Correlation
Purpose
Detect early-stage session-artifact interaction by correlating explicitly scoped browser cookie-store access with suspicious process context and optional near-term external validation behavior.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1102 – Web Service Communication
· T1036 – Masquerading
Telemetry Dependency
· Normalized endpoint file-access telemetry
· Normalized process execution telemetry
· Parent-process visibility
· Process executable path visibility where available
· DNS logs and or proxy / network logs for enrichment
· Lookup tables:
o cyberdax_browser_process_allowlist
o cyberdax_password_manager_allowlist
o cyberdax_support_assets
o cyberdax_support_users
o cyberdax_maintenance_windows
o cyberdax_trusted_browser_paths
o cyberdax_approved_sync_tools
· Optional but recommended:
o rare-domain enrichment
o recent lure-infrastructure correlation
Tuning Explanation
This is the primary SIEM analytic for Phase 1B-B and is intentionally stricter than the initial draft. It requires:
· access to explicitly scoped cookie-store paths
· by one of the following:
o unauthorized non-browser process
o browser-named process executing outside trusted browser paths
o trusted utility commonly abused for scraping
· suspicious execution context through parent process or execution origin
The rule is designed to trigger on either:
· repeated cookie-store access above threshold in a bounded interval
· a single high-risk event where process class and context strongly indicate malicious access
Optional external validation enrichment is included as a triage amplifier, not a hard requirement, to avoid suppressing true positives in environments with incomplete network correlation.
Detection Logic
· Collect file-access events targeting explicitly scoped browser cookie-store paths
· Normalize process, parent process, user, and host fields
· Exclude approved browsers, password managers, support assets, support users, maintenance windows, and approved sync tooling
· Identify suspicious process classes:
o unauthorized non-browser access
o browser-named process outside trusted browser path
o trusted utility abuse
· Require suspicious execution context:
o lure-adjacent parent process
o or Temp / Downloads execution origin
· Aggregate repeated events by host, user, process, and parent process
· Alert on:
o repeated access above threshold
o or single high-risk event with strong malicious process and context combination
· Preserve optional nearby external-validation context for triage
Operational Context
· Intended for workstation fleets where access to browser cookie stores by non-browser or abnormal browser processes should be rare
· Strong indicator of early session-artifact interaction before later replay or token abuse
· Best escalated when correlated with:
o suspicious external validation traffic
o recent lure-infrastructure interaction
o later authentication anomalies
· If file access telemetry is sparse, parent-process visibility is missing, or process path data is unavailable, do not treat this rule as final production detection without local validation
System-Ready Code
index=edr_logs
(
file_path="*\\Google\\Chrome\\User Data\\*\\Cookies"
OR file_path="*\\Microsoft\\Edge\\User Data\\*\\Cookies"
OR file_path="*\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite"
)
| eval process_name=lower(coalesce(process_name,Image,ProcessName))
| eval parent_process=lower(coalesce(parent_process,ParentImage,ParentProcessName))
| eval process_path=coalesce(process_path,ImagePath,process_executable)
| eval host=coalesce(host,computer,endpoint,asset)
| eval user=lower(coalesce(user,User,AccountName))
| lookup cyberdax_browser_process_allowlist process_name OUTPUT process_name as matched_browser
| lookup cyberdax_password_manager_allowlist process_name OUTPUT process_name as matched_pwmanager
| lookup cyberdax_support_assets asset as host OUTPUT asset as matched_asset
| lookup cyberdax_support_users user as user OUTPUT user as matched_user
| lookup cyberdax_maintenance_windows asset as host OUTPUT maintenance_active
| lookup cyberdax_approved_sync_tools process_name OUTPUT process_name as matched_sync
| eval suspicious_browser_path=if(match(process_name,"^(chrome|msedge|firefox|brave)\\.exe$") AND NOT like(process_path,"%Program Files%"),1,0)
| eval trusted_abuse=if(match(process_name,"^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta)\\.exe$"),1,0)
| eval nonbrowser_unauthorized=if(isnull(matched_browser) AND isnull(matched_pwmanager),1,0)
| eval suspicious_parent=if(match(parent_process,"^(winword|excel|powerpnt|outlook|acrord32|wscript|cscript|mshta|rundll32|7z|7za|winrar|rar)\\.exe$"),1,0)
| eval suspicious_exec_path=if(like(process_path,"%\\Temp\\%") OR like(process_path,"%\\Downloads\\%"),1,0)
| where isnull(matched_asset)
AND isnull(matched_user)
AND (isnull(maintenance_active) OR maintenance_active!="true")
AND isnull(matched_sync)
AND (nonbrowser_unauthorized=1 OR suspicious_browser_path=1 OR trusted_abuse=1)
AND (suspicious_parent=1 OR suspicious_exec_path=1)
| bin _time span=10m
| stats count as access_count earliest(_time) as first_seen latest(_time) as last_seen values(file_path) as file_paths values(process_path) as process_paths by host user process_name parent_process _time suspicious_browser_path trusted_abuse nonbrowser_unauthorized suspicious_parent suspicious_exec_path
| eval high_risk_single=if(access_count>=1 AND (trusted_abuse=1 OR suspicious_browser_path=1) AND suspicious_parent=1,1,0)
| where access_count > 3 OR high_risk_single=1
| table first_seen last_seen host user process_name parent_process file_paths process_paths access_count high_risk_single
Elastic
Rule Name
CyberDax Browser Cookie Store Access by Unauthorized, Browser-Masquerading, or Trusted-Abuse Process with Suspicious Execution Context
Purpose
Detect early-stage session-artifact interaction by identifying access to explicitly scoped browser cookie-store artifacts by unauthorized processes, browser-masquerading binaries, or trusted utilities operating in suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Elastic Defend endpoint telemetry
· File access events with process linkage
· Process and parent-process visibility
· Executable-path visibility
· Host role or asset classification
· Optional:
o signer metadata
o maintenance-window labels
o approved sync or migration tooling allowlists
Tuning Explanation
This is a primary endpoint-style detector for Phase 1B-B and is intentionally low-noise. It requires all of the following:
· explicit cookie-store path access
· by one of:
o unauthorized non-browser process
o browser-named process executing from non-standard or user-space path
o trusted utility commonly abused for scraping
· suspicious execution context through parent lineage or user-space execution origin
This rule must not alert on:
· normal browser self-access
· password-manager activity
· approved sync or migration tooling
· generic access to cookie files without profile-path scoping
Detection Logic
· Match access to:
o Chrome profile Cookies
o Edge profile Cookies
o Firefox profile cookies.sqlite
· Require process class:
o unauthorized non-browser access
o browser-named process outside trusted install path
o trusted utility abuse
· Require suspicious context:
o Office, Outlook, PDF, archive, or script parent
o or Temp / Downloads execution origin
· Exclude support, admin, and maintenance populations before alerting
Operational Context
· High-fidelity endpoint signal for early session-artifact interaction
· Strong precursor to later token or replay activity
· Best escalated when paired with recent lure interaction or suspicious external validation behavior
System-Ready Code
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{ "wildcard": { "file.path": "*\\Google\\Chrome\\User Data\\*\\Cookies" } },
{ "wildcard": { "file.path": "*\\Microsoft\\Edge\\User Data\\*\\Cookies" } },
{ "wildcard": { "file.path": "*\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite" } }
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"bool": {
"must_not": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe","1password.exe","bitwarden.exe","keepass.exe","lastpass.exe","migwiz.exe","usmt.exe"] } }
]
}
},
{
"bool": {
"must": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe"] } },
{
"bool": {
"must_not": [
{ "regexp": { "process.executable": ".*\\\\Program Files( \\(x86\\))?\\\\.*" } }
]
}
}
]
}
},
{
"terms": {
"process.name": ["powershell.exe","pwsh.exe","cmd.exe","rundll32.exe","wscript.exe","cscript.exe","mshta.exe"]
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{ "terms": { "process.parent.name": ["winword.exe","excel.exe","outlook.exe","acrord32.exe","wscript.exe","mshta.exe","rundll32.exe","7z.exe","7za.exe","winrar.exe","rar.exe"] } },
{ "regexp": { "process.executable": ".*\\\\AppData\\\\Local\\\\Temp\\\\.*" } },
{ "regexp": { "process.executable": ".*\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\.*" } }
],
"minimum_should_match": 1
}
}
],
"must_not": [
{ "regexp": { "host.name": "(?i)^(IT-|HELPDESK-|SUPPORT-)" } },
{ "term": { "labels.maintenance_window": "true" } }
]
}
}
}
QRadar
Rule Name
CyberDax Repeated Browser Cookie Store Access by Unauthorized or Masquerading Process with Suspicious Execution Context
Purpose
Detect repeated browser cookie-store access indicative of early session-artifact interaction by unauthorized processes or masquerading binaries under suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· File access logs
· Process telemetry
· Reference sets:
o CYBERDAX_BROWSER_PROCESSES
o CYBERDAX_PASSWORD_MANAGER_PROCESSES
o CYBERDAX_SUPPORT_ASSETS
o CYBERDAX_SUPPORT_USERS
o CYBERDAX_MAINTENANCE_ASSETS
o CYBERDAX_TRUSTED_BROWSER_PATHS
o CYBERDAX_APPROVED_SYNC_TOOLS
Tuning Explanation
This is a primary SIEM analytic for Phase 1B-B and requires:
· explicit cookie-store path access
· by one of:
o unauthorized non-browser process
o browser-named process outside trusted browser paths
o trusted utility commonly abused for scraping
· suspicious execution context
· at least 4 repeated events within 10 minutes
This rule suppresses:
· support assets
· support users
· maintenance assets
· approved sync tooling
· approved browser and password-manager activity
It must not be treated as final production detection if file path and process identity are not reliably normalized in the same event stream.
Detection Logic
· Building Block 1 identifies scoped cookie-store path access
· Building Block 2 identifies unauthorized, browser-masquerading, or trusted-abuse process patterns
· Building Block 3 identifies suspicious execution context
· Main CRE rule requires all three building blocks and repeated-event aggregation
· Main CRE rule suppresses support populations and creates an offense only when all conditions align
Operational Context
· Highest value where workstation file-access telemetry is ingested
· Strong detector for early session-artifact interaction before broader replay or token abuse
· Best escalated when correlated with suspicious validation traffic or recent lure activity
System-Ready Code
Reference Set: CYBERDAX_BROWSER_PROCESSES
Reference Set: CYBERDAX_PASSWORD_MANAGER_PROCESSES
Reference Set: CYBERDAX_SUPPORT_ASSETS
Reference Set: CYBERDAX_SUPPORT_USERS
Reference Set: CYBERDAX_MAINTENANCE_ASSETS
Reference Set: CYBERDAX_TRUSTED_BROWSER_PATHS
Reference Set: CYBERDAX_APPROVED_SYNC_TOOLS
Building Block: CYBERDAX_Browser_Cookie_Store_Access
when event category indicates file access
and file path matches one of:
*\Google\Chrome\User Data\*\Cookies
*\Microsoft\Edge\User Data\*\Cookies
*\Mozilla\Firefox\Profiles\*\cookies.sqlite
Building Block: CYBERDAX_Unauthorized_Or_Masquerading_Process
when (
process name is not in CYBERDAX_BROWSER_PROCESSES
and process name is not in CYBERDAX_PASSWORD_MANAGER_PROCESSES
and process name is not in CYBERDAX_APPROVED_SYNC_TOOLS
)
or (
process name is in CYBERDAX_BROWSER_PROCESSES
and process path is not in CYBERDAX_TRUSTED_BROWSER_PATHS
)
or (
process name is one of:
powershell.exe
pwsh.exe
cmd.exe
rundll32.exe
wscript.exe
cscript.exe
mshta.exe
)
Building Block: CYBERDAX_Suspicious_Context
when parent process indicates office, pdf, archive, or script execution
or process path indicates Temp or Downloads execution
Rule: CYBERDAX Browser Cookie Store Access by Unauthorized or Masquerading Process
when BB:CYBERDAX_Browser_Cookie_Store_Access matches
and BB:CYBERDAX_Unauthorized_Or_Masquerading_Process matches
and BB:CYBERDAX_Suspicious_Context matches
and at least 4 matching access events occur by same destination hostname and username within 10 minutes
and destination hostname not in CYBERDAX_SUPPORT_ASSETS
and username not in CYBERDAX_SUPPORT_USERS
and destination hostname not in CYBERDAX_MAINTENANCE_ASSETS
then create offense
Severity: 8
Relevance: 8
Credibility: 8
Sigma
Rule Name
CyberDax Browser Cookie Store Access by Unauthorized, Masquerading, or Trusted-Abuse Process
Purpose
Provide portable supporting detection for explicitly scoped browser cookie-store access by unauthorized processes, browser-masquerading binaries, or trusted-abuse utilities in suspicious execution context.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Endpoint file-access logs
· Process and parent-process visibility
· Execution-path visibility or equivalent backend enrichment
· Optional:
o support-population enrichment
o maintenance-window enrichment
o trusted browser-path enrichment
Tuning Explanation
This is supporting detection, not a standalone primary analytic. It is intended for backends that can preserve:
· file path access
· process identity
· parent-process context
· executable path where available
This version keeps the same variant-aware ideology as Elastic and QRadar by covering:
· unauthorized non-browser access
· browser-named process from abnormal path
· trusted-utility abuse
It must not be deployed unchanged if:
· file-access telemetry is absent
· both parent-process visibility and execution-path context are missing
· support-population suppression cannot be approximated
Detection Logic
· Detect scoped cookie-store path access
· Exclude password managers and approved sync tooling
· Match one of:
o unauthorized non-browser process
o browser-named process from suspicious user-space path
o trusted utility commonly abused for scraping
· Require suspicious parent process or suspicious execution-path context
· Forward matches to SIEM correlation and triage pipelines
Operational Context
· Useful as portable supporting content where endpoint file-access telemetry exists
· Best used with stronger SIEM or EDR analytics
· Not intended to replace full primary detections
System-Ready Code
title: CyberDax Browser Cookie Store Access by Unauthorized, Masquerading, or Trusted-Abuse Process
id: d3a11b25-44d2-4f7a-8bc6-cyberdax-phase1bb-cookie
status: experimental
description: Detects scoped browser cookie-store access by unauthorized, browser-masquerading, or trusted-abuse processes in suspicious execution context.
logsource:
product: windows
category: file_access
detection:
selection_path:
TargetFilename|contains:
- '\Google\Chrome\User Data\'
- '\Microsoft\Edge\User Data\'
- '\Mozilla\Firefox\Profiles\'
TargetFilename|endswith:
- '\Cookies'
- '\cookies.sqlite'
filter_pwmanager:
Image|endswith:
- '\1password.exe'
- '\lastpass.exe'
- '\bitwarden.exe'
- '\keepass.exe'
- '\migwiz.exe'
- '\usmt.exe'
selection_trusted_abuse:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_browser_named:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\brave.exe'
selection_exec_path:
Image|contains:
- '\Users\'
- '\Temp\'
- '\AppData\'
- '\ProgramData\'
- '\Downloads\'
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\acrord32.exe'
- '\7z.exe'
- '\7za.exe'
- '\winrar.exe'
- '\rar.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
condition: selection_path and not filter_pwmanager and ((selection_trusted_abuse or (not selection_browser_named)) or (selection_browser_named and selection_exec_path)) and (selection_parent or selection_exec_path)
falsepositives:
- Approved administrative, sync, or migration tooling in environments without local suppression enrichment
level: high
tags:
- attack.t1555
- attack.t1005
- attack.t1036
YARA
Rule Name
CyberDax Browser Cookie Store Extraction or Query Heuristic with Scoped Workflow Indicators
Purpose
Support forensic triage by identifying scripts, binaries, or staged artifacts associated with extraction, copying, or querying of browser cookie stores such as Chrome Cookies, Edge Cookies, or Firefox cookies.sqlite.
ATT&CK Technique
· T1555 – Credentials from Password Stores
· T1005 – Data from Local System
Telemetry Dependency
· Endpoint forensic collections
· File triage workflows
· Incident response artifact review
· EDR file telemetry where available
Tuning Explanation
This rule is forensic and triage support only, not a primary prevention or real-time endpoint control. It is designed to identify likely cookie-store scraping workflows by requiring a combination of:
· at least one cookie-store path or profile indicator
· at least one extraction, copy, or query indicator
· at least one supporting cookie or browser-storage indicator
This reduces false positives compared with generic cookie-name matching and better aligns the rule to active cookie-store extraction or query behavior.
Detection Logic
· Match browser cookie-store paths or profile references
· Match scraping, copying, SQLite querying, or export workflow indicators
· Match supporting cookie or browser-storage indicators
· Require all three categories before alerting
Operational Context
· Highest value during post-alert investigation of hosts already showing suspicious cookie-store access behavior
· Useful for confirming cookie-store extraction or query intent after EDR or SIEM detections
· Not intended as a standalone production prevention control
System-Ready Code
rule CYBERDAX_Browser_Cookie_Store_Extraction_Scoped
{
meta:
description = "Heuristic for scoped browser cookie-store extraction or query workflows"
author = "CyberDax Detection Engineering"
version = "1.0"
scope = "forensic triage"
strings:
$path1 = "AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" nocase
$path2 = "AppData\\\\Local\\\\Microsoft\\\\Edge\\\\User Data" nocase
$path3 = "AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles" nocase
$artifact1 = "Cookies" nocase
$artifact2 = "cookies.sqlite" nocase
$action1 = "sqlite3" nocase
$action2 = "SELECT" nocase
$action3 = "copy" nocase
$action4 = "export" nocase
$support1 = "encrypted_value" nocase
$support2 = "host_key" nocase
$support3 = "moz_cookies" nocase
condition:
(1 of ($path*)) and (1 of ($artifact*)) and (1 of ($action*)) and (1 of ($support*))
}
AWS
Rule Name
CyberDax Suspicious AWS Identity Validation Following Cookie Store Access Indicators
Purpose
Detect early-stage use of session artifacts after browser cookie-store interaction by identifying abnormal AWS identity-validation behavior from unusual principal context shortly after Phase 1B-B signals.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· AWS CloudTrail
· Successful events:
o ConsoleLogin
o GetCallerIdentity
o GetFederationToken
· Principal identity, source IP, user agent, region
· Approved corporate IP ranges
· Approved service principals
· Baseline:
o known IP by principal
o known region by principal
o known user agent by principal
o first-seen validation action by principal
· Correlation dataset:
o recent Phase 1B-B principals
Tuning Explanation
This rule is tightened for early validation behavior, not full account use. It requires:
· successful identity-validation or validation-adjacent activity
· abnormal context:
o new IP
o new region
o or new user agent
· plus at least one of:
o recent Phase 1B-B correlation within 60 minutes
o first-seen validation behavior for that principal
o repeated validation attempts in a bounded interval
o token-validation-style activity through GetFederationToken in abnormal context
This rule must not be deployed as a generic unusual-login analytic.
Detection Logic
· Detect successful ConsoleLogin, GetCallerIdentity, or GetFederationToken activity
· Exclude approved corporate ranges and approved service principals
· Require abnormal context
· Require at least one:
o recent Phase 1B-B correlation
o first-seen validation behavior
o repeated validation behavior
o token-validation-style activity
Operational Context
· Highest value in environments using federated enterprise identities into AWS
· Strong signal for early validation after cookie-store interaction and before broader session use
· If baseline IP, region, or user-agent modeling is unavailable, this rule must not be treated as final production detection without local adaptation
System-Ready Code
SELECT
eventtime,
useridentity.arn AS principal_arn,
sourceipaddress,
eventname,
useragent,
awsregion
FROM cloudtrail_logs
WHERE eventname IN ('ConsoleLogin','GetCallerIdentity','GetFederationToken')
AND errorcode IS NULL
AND useridentity.arn NOT IN (
SELECT principal FROM approved_service_principals
)
AND sourceipaddress NOT IN (
SELECT ip FROM approved_corporate_ranges
)
AND (
sourceipaddress NOT IN (
SELECT ip FROM baseline_ip_by_principal
WHERE principal = useridentity.arn
)
OR awsregion NOT IN (
SELECT region FROM baseline_region_by_principal
WHERE principal = useridentity.arn
)
OR useragent NOT IN (
SELECT ua FROM baseline_user_agent_by_principal
WHERE principal = useridentity.arn
)
)
AND (
useridentity.arn IN (
SELECT principal
FROM recent_phase1bb_principals
WHERE seen_time >= NOW() - INTERVAL '60 minutes'
)
OR (useridentity.arn, eventname) IN (
SELECT principal, action_name
FROM first_seen_identity_validation
)
OR useridentity.arn IN (
SELECT principal
FROM repeated_validation_activity
WHERE validation_count > 1
)
OR eventname = 'GetFederationToken'
);
Azure
Rule Name
CyberDax Suspicious Entra Identity Validation Following Cookie Store Interaction
Purpose
Detect early-stage use of session artifacts after browser cookie-store interaction by identifying abnormal Entra sign-in or validation behavior from unusual device, IP, or client context before broader session abuse occurs.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· Entra SigninLogs
· Successful sign-ins
· User, IP, device, user agent, app context
· Watchlists:
o approved IP ranges
o automation accounts
· Baseline:
o known device
o known IP
o known user agent
o known app usage patterns
· Correlation dataset:
o recent Phase 1B-B endpoint detections
Tuning Explanation
This rule is tightened to catch:
· low-and-slow early validation
· unmanaged or unexpected device use
· uncommon multi-app validation behavior shortly after cookie-store access
It requires:
· successful sign-in activity
· abnormal context:
o new IP
o new or unmanaged device
o uncommon user agent
· plus at least one of:
o Phase 1B-B correlation within 60 minutes
o repeated validation behavior
o unmanaged-device or device-mismatch condition
o uncommon validation across more than one application in a short window
This rule must not be deployed as a generic new-device or generic non-corporate sign-in rule.
Detection Logic
· Detect successful sign-ins
· Exclude approved IPs and automation accounts
· Summarize short-window behavior by user, IP, device, user agent, and application count
· Require abnormal device or client context
· Require either:
o recent Phase 1B-B correlation
o repetition
o device mismatch
o uncommon multi-app validation
Operational Context
· Highest value where enterprise identities provide access to Microsoft cloud services
· Strong signal for early validation after cookie-store access and before broader replay behavior
· Device state and app-count behavior should be treated as high-value amplifiers, not standalone triggers
System-Ready Code
let ApprovedIPs = _GetWatchlist('approved_ip_ranges') | project SearchKey;
let Automation = _GetWatchlist('automation_accounts') | project SearchKey;
let Phase1BB = _GetWatchlist('recent_phase1bb_users') | project SearchKey;
SigninLogs
| where ResultType == 0
| where UserPrincipalName !in (Automation)
| where IPAddress !in (ApprovedIPs)
| extend UA = tostring(UserAgent),
Device = tostring(DeviceDetail.deviceId),
Managed = tostring(DeviceDetail.isManaged)
| summarize sign_in_count = count(),
app_count = dcount(AppDisplayName),
first_seen = min(TimeGenerated),
last_seen = max(TimeGenerated)
by UserPrincipalName, IPAddress, Device, Managed, UA, bin(TimeGenerated, 30m)
| extend phase1bb = UserPrincipalName in (Phase1BB)
| where phase1bb == true
or sign_in_count > 1
or Managed == "false"
or app_count > 1
Deployment Note
· If approved IP watchlists are unavailable, substitute trusted-location or named-location suppression
· If device trust fields are unavailable, do not treat unmanaged-device logic as final production gating without local adaptation
· Missing device identity alone must not be treated as suspicious without correlation, repetition, or additional abnormal context
GCP
Rule Name
CyberDax Suspicious GCP Identity Validation Following Cookie Store Interaction
Purpose
Detect early-stage use of session artifacts after browser cookie-store interaction by identifying abnormal GCP identity-validation behavior from unusual principal context before broader session abuse or IAM manipulation occurs.
ATT&CK Technique
· T1078 – Valid Accounts
· T1550 – Use of Alternate Authentication Material
Telemetry Dependency
· GCP Cloud Audit Logs
· Principal identity
· Caller IP
· Method name
· Approved corporate IPs
· Baseline:
o known IP per principal
o known method usage
o first-seen validation method behavior
· Correlation dataset:
o recent Phase 1B-B activity
Tuning Explanation
This rule is tightened for:
· early validation behavior
· first-stage use of session-derived access
· low-and-slow identity establishment from abnormal context
It requires:
· authenticated GCP activity
· abnormal caller IP
· plus at least one of:
o recent Phase 1B-B correlation within 60 minutes
o first-seen validation method
o repeated validation activity
o validation-adjacent method usage in abnormal context
This rule must not be treated as a generic abnormal cloud login rule.
Detection Logic
· Detect authenticated GCP validation-related activity
· Exclude approved corporate IPs
· Require abnormal caller IP
· Require one of:
o recent Phase 1B-B correlation
o first-seen validation method
o repeated validation behavior
o validation-adjacent method usage
Operational Context
· Early cloud pivot detection after cookie-store access
· High value before broader session-material use or IAM manipulation
· Requires baseline method modeling for highest fidelity
System-Ready Code
SELECT
timestamp,
protopayload_auditlog.authenticationInfo.principalEmail AS principal_email,
protopayload_auditlog.methodName,
protopayload_auditlog.requestMetadata.callerIp
FROM `project.dataset.audit_logs`
WHERE protopayload_auditlog.authenticationInfo.principalEmail IS NOT NULL
AND protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip FROM approved_corporate_ranges
)
AND protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip
FROM baseline_ip_by_principal
WHERE principal = protopayload_auditlog.authenticationInfo.principalEmail
)
AND (
protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM recent_phase1bb_principals
WHERE seen_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 MINUTE)
)
OR (
protopayload_auditlog.authenticationInfo.principalEmail,
protopayload_auditlog.methodName
) IN (
SELECT principal, method_name
FROM first_seen_methods
)
OR protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM repeated_validation_activity
WHERE validation_count > 1
)
OR protopayload_auditlog.methodName IN (
'GenerateAccessToken',
'GenerateIdToken',
'GetIamPolicy'
)
);
Phase 1C — Token and Session Artifact Access
Suricata
Rule Name
CyberDax Suspicious External Validation Traffic Following Browser Memory or Session-Store Access Indicators
Purpose
Provide corroborating network telemetry for likely token or session-artifact access by identifying suspicious outbound validation or session-probing traffic shortly after endpoint-detected browser-memory or session-store interaction.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1071 – Application Layer Protocol
Telemetry Dependency
· Egress HTTP inspection and or TLS SNI visibility
· DNS telemetry
· Rare-domain, first-seen, or low-prevalence enrichment where available
· Correlation capability with endpoint Phase 1C detections
Tuning Explanation
This is a corroborating detector only and must not be used as a standalone token-theft or session-abuse rule. It is designed to identify suspicious outbound validation behavior that frequently follows local browser-memory or session-store interaction. To remain low-noise, it requires:
· suspicious external destination characteristics
· repeated or burst-like access behavior
· use in correlation with recent endpoint Phase 1C detections where available
It must not alert on generic browser HTTPS traffic alone.
Detection Logic
· Detect repeated outbound TLS communication to suspicious external destinations
· Prefer destinations that are:
o rare in the environment
o newly observed
o low reputation
· Use only as corroborating evidence tied to recent browser-memory or session-store access
Operational Context
· Highest value when enriching SentinelOne or Splunk detections
· Useful for detecting early external validation before fuller replay or broader session abuse
· Not intended to replace endpoint token or memory-access detection
System-Ready Code
# Required local variables:
# var USER_WORKSTATIONS [10.20.0.0/16,10.30.0.0/16]
# var APPROVED_AUTH_NETS [20.190.128.0/18,52.96.0.0/12,34.64.0.0/10]
pass tls $USER_WORKSTATIONS any -> $APPROVED_AUTH_NETS any (
msg:"CYBERDAX allow approved enterprise authentication traffic";
flow:established,to_server;
sid:5414202;
rev:1;
)
alert tls $USER_WORKSTATIONS any -> $EXTERNAL_NET any (
msg:"CYBERDAX suspicious external validation traffic following likely session-store or token access";
flow:established,to_server;
tls.sni;
detection_filter:track by_src, count 4, seconds 120;
classtype:trojan-activity;
sid:5414201;
rev:3;
metadata:deployment Egress, confidence medium, attack_target Workstation, role Corroborating, phase Phase1C;
)
SentinelOne
Rule Name
CyberDax Browser Memory or Session-Store Artifact Access by Unauthorized, User-Space, or Trusted-Abuse Process with Suspicious Execution Context
Purpose
Detect direct token and session-material handling by identifying unauthorized processes interacting with browser memory or explicitly scoped session-store and token-adjacent artifacts in suspicious execution context.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· SentinelOne Deep Visibility process telemetry
· Browser memory-access telemetry where available
· File interaction or file access telemetry for session-store or token-adjacent artifacts
· Parent-child process visibility
· Full process image path visibility
· Endpoint grouping or naming to distinguish support and administrative systems from standard user endpoints
· Optional but recommended:
o maintenance-window suppression
o approved debugging or security-tool allowlists
o signer or reputation metadata
o immediate follow-on network telemetry as investigation amplifier
Tuning Explanation
This is the primary Phase 1C endpoint analytic and is intentionally narrower than the previous draft to prevent overlap with earlier phases. It requires:
· one of:
o access to browser process memory
o access to explicitly scoped session-store or token-adjacent artifacts
· by either:
o a non-browser, non-password-manager process
o a browser-named process executing from abnormal user-space or non-standard path
o a trusted utility commonly abused for scraping, dumping, or export activity
· suspicious execution context through parent lineage or user-space execution origin
This rule is designed to detect:
· browser-memory scraping for live session material
· access to session-store artifacts before replay
· token-adjacent local artifact handling
· trusted-utility abuse such as powershell, rundll32, or procdump-style access
· browser-masquerading access from user-space or abnormal paths
This rule must not alert on:
· normal browser self-access
· sanctioned password-manager behavior
· approved debugging, security, or support workflows where locally modeled
· broad browser data access that belongs more naturally to earlier phases
Detection Logic
· Detect one of:
o browser process memory access against Chrome, Edge, Firefox, or Brave
o access to explicitly scoped 1C artifacts such as:
§ Firefox sessionstore.jsonlz4
§ browser session storage paths
§ token-adjacent local artifacts with clear session handling relevance
· Require one of the following process conditions:
o process is not an approved browser or password manager
o process name resembles a browser but executes from abnormal user-space or non-standard path
o process is a trusted utility commonly abused for scraping, dumping, or export such as powershell, pwsh, cmd, rundll32, wscript, cscript, mshta, or procdump
· Require suspicious execution context through one or more of:
o Office, Outlook, PDF, archive, script, or launcher parent
o execution from Temp or Downloads
o user-space browser-named executable outside expected install path
· Exclude support, admin, and maintenance populations before alerting
Operational Context
· Highest value on standard user workstations where non-browser access to browser memory or session-store artifacts is rare
· Strong signal for pre-replay session or token-material handling
· Best escalated immediately when paired with:
o recent lure interaction
o repeated session-store touches
o suspicious external validation traffic
· If memory-access telemetry or path fidelity is weak, this rule must not be treated as final production detection without local validation
System-Ready Code
(
(
TargetProcessName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND AccessType RegExp "(?i)(PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION)"
)
OR
FileFullName RegExp "(?i)(sessionstore\\.jsonlz4|sessionstore-backups|Session Storage|Local Storage\\\\leveldb|IndexedDB.*session|token[_-]?cache|access[_-]?token|refresh[_-]?token)"
)
AND
(
(
NOT TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND NOT TgtProcName RegExp "(?i)^(1password|lastpass|bitwarden|keepass|migwiz|usmt)\\.exe$"
)
OR
(
TgtProcName RegExp "(?i)^(chrome|msedge|firefox|brave)\\.exe$"
AND TgtProcImagePath RegExp "(?i)\\\\Users\\\\|\\\\ProgramData\\\\|\\\\Temp\\\\|\\\\AppData\\\\"
)
OR
TgtProcName RegExp "(?i)^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta|procdump)\\.exe$"
)
AND
(
SrcProcName RegExp "(?i)^(winword|excel|powerpnt|outlook|acrord32|7z|7za|winrar|rar|wscript|cscript|mshta|rundll32)\\.exe$"
OR TgtProcImagePath RegExp "(?i)\\\\AppData\\\\Local\\\\Temp\\\\"
OR TgtProcImagePath RegExp "(?i)\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\"
)
AND NOT EndpointName RegExp "(?i)^(HD-|HELPDESK-|IT-|SUPPORT-|SRV-IT-)"
AND NOT GroupName RegExp "(?i)(Helpdesk|IT Support|Desktop Support|Admin Workstations|Security Tools)"
AND NOT UserName RegExp "(?i)^(svc_|helpdesk|itadmin|support\\.)"
Splunk
Rule Name
CyberDax Browser Memory or Session-Store Artifact Access with Suspicious Context and Optional External Validation Correlation
Purpose
Detect token and session-material handling by correlating browser memory interaction or scoped session-store and token-adjacent artifact access with suspicious process context and optional near-term external validation behavior.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Normalized endpoint process telemetry
· Memory-access logs where available
· File access logs for session-store or token-adjacent artifacts
· Parent-process visibility
· Process executable path visibility where available
· DNS logs and or proxy / network logs for enrichment
· Lookup tables:
o cyberdax_browser_process_allowlist
o cyberdax_password_manager_allowlist
o cyberdax_support_assets
o cyberdax_support_users
o cyberdax_maintenance_windows
o cyberdax_trusted_browser_paths
o cyberdax_approved_debug_tools
· Optional but recommended:
o rare-domain enrichment
o recent lure-infrastructure correlation
Tuning Explanation
This is the primary SIEM analytic for Phase 1C and is intentionally narrower than the earlier draft to keep 1C scope clean. It requires:
· one of:
o browser-memory access
o scoped session-store or token-adjacent artifact access
· by one of:
o unauthorized non-browser process
o browser-named process outside trusted browser paths
o trusted utility abuse
· suspicious execution context through parent process or execution origin
The rule is designed to trigger on either:
· repeated memory or session-store access above threshold in a bounded interval
· a single high-risk event where process class and context strongly indicate malicious scraping or dumping
Optional external validation enrichment is included as a triage amplifier, not a hard requirement, to avoid suppressing true positives in environments with incomplete network correlation.
Detection Logic
· Collect endpoint events indicating either:
o browser-memory access
o scoped session-store or token-adjacent artifact access
· Normalize process, parent process, user, and host fields
· Exclude approved browsers, password managers, support assets, support users, maintenance windows, and approved debug tooling
· Identify suspicious process classes:
o unauthorized non-browser access
o browser-named process outside trusted browser path
o trusted utility abuse
· Require suspicious execution context:
o lure-adjacent parent process
o or Temp / Downloads execution origin
· Aggregate repeated events by host, user, process, and parent process
· Alert on:
o repeated access above threshold
o or single high-risk event with strong malicious process and context combination
· Preserve optional nearby external-validation context for triage
Operational Context
· Intended for workstation fleets where access to browser memory or session-store artifacts by non-browser or abnormal browser processes should be rare
· Strong indicator of pre-replay token or session-material handling
· Best escalated when correlated with:
o suspicious external validation traffic
o recent lure-infrastructure interaction
o later authentication anomalies
· If memory telemetry is sparse, parent-process visibility is missing, or process-path data is unavailable, do not treat this rule as final production detection without local validation
System-Ready Code
index=endpoint_logs
(
(
target_process_name="chrome.exe"
OR target_process_name="msedge.exe"
OR target_process_name="firefox.exe"
OR target_process_name="brave.exe"
)
AND access_type IN ("PROCESS_VM_READ","PROCESS_VM_WRITE","PROCESS_QUERY_INFORMATION")
)
OR
(
file_path="*sessionstore.jsonlz4*"
OR file_path="*sessionstore-backups*"
OR file_path="*Session Storage*"
OR file_path="*Local Storage\\leveldb*"
OR file_path="*IndexedDB*session*"
OR file_path="*token_cache*"
OR file_path="*access_token*"
OR file_path="*refresh_token*"
)
| eval process_name=lower(coalesce(process_name,Image,ProcessName))
| eval parent_process=lower(coalesce(parent_process,ParentImage,ParentProcessName))
| eval process_path=coalesce(process_path,ImagePath,process_executable)
| eval host=coalesce(host,computer,endpoint,asset)
| eval user=lower(coalesce(user,User,AccountName))
| lookup cyberdax_browser_process_allowlist process_name OUTPUT process_name as matched_browser
| lookup cyberdax_password_manager_allowlist process_name OUTPUT process_name as matched_pwmanager
| lookup cyberdax_support_assets asset as host OUTPUT asset as matched_asset
| lookup cyberdax_support_users user as user OUTPUT user as matched_user
| lookup cyberdax_maintenance_windows asset as host OUTPUT maintenance_active
| lookup cyberdax_approved_debug_tools process_name OUTPUT process_name as matched_debug
| eval suspicious_browser_path=if(match(process_name,"^(chrome|msedge|firefox|brave)\\.exe$") AND NOT like(process_path,"%Program Files%"),1,0)
| eval trusted_abuse=if(match(process_name,"^(powershell|pwsh|cmd|rundll32|wscript|cscript|mshta|procdump)\\.exe$"),1,0)
| eval nonbrowser_unauthorized=if(isnull(matched_browser) AND isnull(matched_pwmanager),1,0)
| eval suspicious_parent=if(match(parent_process,"^(winword|excel|powerpnt|outlook|acrord32|wscript|cscript|mshta|rundll32|7z|7za|winrar|rar)\\.exe$"),1,0)
| eval suspicious_exec_path=if(like(process_path,"%\\Temp\\%") OR like(process_path,"%\\Downloads\\%"),1,0)
| where isnull(matched_asset)
AND isnull(matched_user)
AND (isnull(maintenance_active) OR maintenance_active!="true")
AND isnull(matched_debug)
AND (nonbrowser_unauthorized=1 OR suspicious_browser_path=1 OR trusted_abuse=1)
AND (suspicious_parent=1 OR suspicious_exec_path=1)
| bin _time span=10m
| stats count as access_count earliest(_time) as first_seen latest(_time) as last_seen values(file_path) as file_paths values(target_process_name) as target_processes values(process_path) as process_paths by host user process_name parent_process _time trusted_abuse suspicious_browser_path nonbrowser_unauthorized suspicious_parent suspicious_exec_path
| eval high_risk_single=if(access_count>=1 AND (trusted_abuse=1 OR suspicious_browser_path=1) AND suspicious_parent=1,1,0)
| where access_count > 2 OR high_risk_single=1
| table first_seen last_seen host user process_name parent_process target_processes file_paths process_paths access_count high_risk_single
Elastic
Rule Name
CyberDax Browser Memory or Session-Store Artifact Access by Unauthorized, Masquerading, or Trusted-Abuse Process with Suspicious Execution Context
Purpose
Detect direct session-material handling by identifying unauthorized processes performing browser memory access or interacting with explicitly scoped session-store and token-adjacent artifacts under suspicious execution context.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Elastic Defend endpoint telemetry
· Process access events including memory access
· File access events with process linkage
· Parent-child process visibility
· Executable-path visibility
· Optional:
o signer metadata
o approved debug tool allowlists
o maintenance window tagging
Tuning Explanation
This rule is tuned to enforce true Phase 1C behavior:
primary signal:
· browser process memory access
secondary signal:
· scoped session-store or token-adjacent artifact access
It requires:
· browser process memory access
or
· access to tightly scoped session artifacts such as:
o sessionstore.jsonlz4
o Session Storage
o IndexedDB session-related paths
o token cache artifacts
o access token artifacts
o refresh token artifacts
And:
· suspicious process class
· suspicious execution context
This rule must not alert on:
· generic browser storage access
· cookie-only access
· normal browser self-access
Detection Logic
· Match:
o process access events targeting Chrome, Edge, Firefox, or Brave memory
or
o file access to tightly scoped 1C artifacts
· Require:
o unauthorized non-browser process
or
o browser-named process outside trusted install path
or
o trusted utility abuse
· Require:
o suspicious parent
or
o Temp / Downloads / user-space execution
Operational Context
· High-fidelity endpoint detector for direct session-material handling
· Strong precursor to replay or session abuse
· Should trigger immediate triage
System-Ready Code
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"bool": {
"must": [
{ "term": { "event.action": "process_access" } },
{
"terms": {
"process.Ext.api.name": [
"OpenProcess",
"NtReadVirtualMemory",
"NtWriteVirtualMemory"
]
}
},
{
"terms": {
"process.Ext.target.name": [
"chrome.exe",
"msedge.exe",
"firefox.exe",
"brave.exe"
]
}
}
]
}
},
{
"bool": {
"should": [
{ "wildcard": { "file.path": "*sessionstore.jsonlz4*" } },
{ "wildcard": { "file.path": "*Session Storage*" } },
{ "wildcard": { "file.path": "*IndexedDB*session*" } },
{ "wildcard": { "file.path": "*token_cache*" } },
{ "wildcard": { "file.path": "*access_token*" } },
{ "wildcard": { "file.path": "*refresh_token*" } }
],
"minimum_should_match": 1
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"bool": {
"must_not": {
"terms": {
"process.name": [
"chrome.exe","msedge.exe","firefox.exe","brave.exe",
"1password.exe","bitwarden.exe","keepass.exe"
]
}
}
}
},
{
"bool": {
"must": [
{ "terms": { "process.name": ["chrome.exe","msedge.exe","firefox.exe","brave.exe"] } },
{
"bool": {
"must_not": [
{ "regexp": { "process.executable": ".*\\\\Program Files.*" } }
]
}
}
]
}
},
{
"terms": {
"process.name": [
"powershell.exe","pwsh.exe","cmd.exe",
"rundll32.exe","wscript.exe","cscript.exe","mshta.exe","procdump.exe"
]
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{ "terms": { "process.parent.name": ["winword.exe","excel.exe","outlook.exe","acrord32.exe","7z.exe","winrar.exe"] } },
{ "regexp": { "process.executable": ".*\\\\Temp\\\\.*" } },
{ "regexp": { "process.executable": ".*\\\\Downloads\\\\.*" } }
],
"minimum_should_match": 1
}
}
]
}
}
}
QRadar
Rule Name
CyberDax Repeated Browser Memory or Session-Store Access by Unauthorized or Masquerading Process with Suspicious Execution Context
Purpose
Detect repeated or high-confidence single-event access to browser memory or session-store artifacts indicating active token or session-material handling.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· File access logs
· Process telemetry
· CRE correlation engine
· Reference sets:
o CYBERDAX_BROWSER_PROCESSES
o CYBERDAX_PASSWORD_MANAGER_PROCESSES
o CYBERDAX_SUPPORT_ASSETS
o CYBERDAX_SUPPORT_USERS
o CYBERDAX_MAINTENANCE_ASSETS
o CYBERDAX_TRUSTED_BROWSER_PATHS
o CYBERDAX_APPROVED_DEBUG_TOOLS
Tuning Explanation
This rule is designed for:
· repeated session-material handling
· or high-risk single-event browser memory access
It requires:
· memory access to browser process
or
· access to scoped 1C artifacts
· suspicious process class
· suspicious execution context
It suppresses:
· support activity
· approved tools
· expected browser behavior
Detection Logic
· Building Block 1:
o browser memory access
or
o session-store / token artifact access
· Building Block 2:
o unauthorized or masquerading process
or
o trusted utility abuse
· Building Block 3:
o suspicious parent
or
o Temp / Downloads execution
· Trigger when:
o 3 or more events in 10 minutes
or
o a high-risk single browser-memory access event
Operational Context
· Strong SIEM correlation detector for direct session-material handling
· High-value before replay or broader identity abuse
System-Ready Code
Reference Set: CYBERDAX_BROWSER_PROCESSES
Reference Set: CYBERDAX_PASSWORD_MANAGER_PROCESSES
Reference Set: CYBERDAX_SUPPORT_ASSETS
Reference Set: CYBERDAX_SUPPORT_USERS
Reference Set: CYBERDAX_MAINTENANCE_ASSETS
Reference Set: CYBERDAX_TRUSTED_BROWSER_PATHS
Reference Set: CYBERDAX_APPROVED_DEBUG_TOOLS
Building Block: CYBERDAX_Phase1C_Memory_Access
when event indicates process memory access
and target process is one of:
chrome.exe
msedge.exe
firefox.exe
brave.exe
Building Block: CYBERDAX_Phase1C_Session_Artifact
when file access matches one of:
sessionstore.jsonlz4
Session Storage
IndexedDB (session-related)
token_cache
access_token
refresh_token
Building Block: CYBERDAX_Unauthorized_Process
when process not in approved browser or password manager
or browser process outside trusted path
or process in approved abuse-prone tool list:
powershell.exe
pwsh.exe
cmd.exe
rundll32.exe
wscript.exe
cscript.exe
mshta.exe
procdump.exe
Building Block: CYBERDAX_Suspicious_Context
when parent process indicates Office, archive, PDF, or script
or execution path indicates Temp or Downloads
Rule: CYBERDAX Phase1C Session Access Detection
when (
(BB:CYBERDAX_Phase1C_Memory_Access OR BB:CYBERDAX_Phase1C_Session_Artifact)
AND BB:CYBERDAX_Unauthorized_Process
AND BB:CYBERDAX_Suspicious_Context
)
and (
event count >= 3 in 10 minutes
OR BB:CYBERDAX_Phase1C_Memory_Access observed
)
then create offense
Severity: 8
Relevance: 8
Credibility: 8
Sigma
Rule Name
CyberDax Browser Session Artifact or Memory Access by Unauthorized or Masquerading Process
Purpose
Provide portable supporting detection for browser memory access or scoped session-store artifact access by suspicious processes in suspicious context.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
· T1036 – Masquerading
Telemetry Dependency
· Endpoint file-access logs
· Process access or process visibility
· Parent-process visibility
· Execution-path visibility where available
Tuning Explanation
This rule is supporting content only. It is intentionally narrower than a full backend-native implementation and focuses on:
· session-store artifacts
· trusted abuse tools
· suspicious parent context
It should be used with stronger backend-native analytics where available.
Detection Logic
· Detect:
o sessionstore.jsonlz4
o Session Storage
o IndexedDB session references
o token cache artifacts
· Require:
o trusted-abuse or suspicious process
· Require:
o suspicious parent context
Operational Context
· Useful portable support rule
· Not intended to replace full primary detections
System-Ready Code
title: CyberDax Browser Session Artifact or Memory Access by Unauthorized Process
id: c7e72b01-6e69-4b08-84ff-cyberdax-phase1c-session
status: experimental
logsource:
product: windows
category: file_access
detection:
selection_path:
TargetFilename|contains:
- 'sessionstore.jsonlz4'
- 'Session Storage'
- 'IndexedDB'
- 'token_cache'
- 'access_token'
- 'refresh_token'
selection_proc:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\rundll32.exe'
- '\cmd.exe'
- '\procdump.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_parent:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\acrord32.exe'
- '\7z.exe'
- '\winrar.exe'
condition: selection_path and selection_proc and selection_parent
level: high
tags:
- attack.t1550
- attack.t1005
- attack.t1036
YARA
Rule Name
CyberDax Session-Store and Token Artifact Extraction Workflow Heuristic
Purpose
Support forensic confirmation of session-material handling by identifying code or staged artifacts consistent with session-store extraction, token parsing, and export or dump workflows.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1005 – Data from Local System
Telemetry Dependency
· Endpoint forensic collections
· File triage workflows
· Incident response artifact review
· EDR file telemetry where available
Tuning Explanation
This tightened rule is designed to reduce false positives by requiring all three workflow categories:
· at least one session-store indicator
· at least one token-handling indicator
· at least one extraction / dump / export workflow indicator
This makes it more clearly Phase 1C-specific and less likely to trigger on benign code that merely references storage or tokens.
Detection Logic
· Match session-store indicators such as:
o sessionstore.jsonlz4
o Session Storage
o IndexedDB session references
· Match token-handling indicators such as:
o access_token
o refresh_token
o token_cache
· Match workflow indicators such as:
o sqlite3
o SELECT
o export
o dump
o readprocessmemory
Operational Context
· Highest value during post-alert forensic triage
· Useful for confirming direct session-material extraction or parsing workflows
· Not intended as a standalone real-time detector
System-Ready Code
rule CYBERDAX_Session_Artifact_Extraction_Strict
{
meta:
description = "Heuristic for session-store and token-artifact extraction, parsing, or dump workflows"
author = "CyberDax Detection Engineering"
version = "1.1"
scope = "forensic triage"
strings:
$session1 = "sessionstore.jsonlz4" nocase
$session2 = "Session Storage" nocase
$session3 = "IndexedDB" nocase
$token1 = "access_token" nocase
$token2 = "refresh_token" nocase
$token3 = "token_cache" nocase
$work1 = "sqlite3" nocase
$work2 = "SELECT" nocase
$work3 = "export" nocase
$work4 = "dump" nocase
$work5 = "ReadProcessMemory" nocase
condition:
(1 of ($session*)) and (1 of ($token*)) and (1 of ($work*))
}
AWS
Rule Name
CyberDax Suspicious AWS Identity Validation or Access-Establishment Behavior Following Authentication Material Staging Indicators
Purpose
Detect likely attacker use of locally staged cookies, refresh tokens, or alternate authentication material by identifying suspicious AWS identity-validation or early access-establishment behavior from abnormal principal context shortly after Phase 1C endpoint signals.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1078 – Valid Accounts
Telemetry Dependency
· AWS CloudTrail
· Successful events for:
o ConsoleLogin
o GetCallerIdentity
o GetFederationToken
o AssumeRole
· Principal identity, source IP, user agent, region
· Approved corporate IP ranges
· Approved service or automation principals
· Baseline data for:
o known IP by principal
o known region by principal
o known user agent by principal
o known validation-action patterns by principal
· Correlation dataset:
o recent Phase 1C principals with bounded time context
· Optional:
o role sensitivity classification
o federation-context enrichment
Tuning Explanation
This is a primary cloud-side Phase 1C detector and is intentionally tuned for validation and access-establishment behavior, not full downstream account abuse. It requires:
· successful identity-validation or early access-establishment activity
· abnormal context such as:
o source IP not previously associated with the principal
o region not previously associated with the principal
o user agent not previously associated with the principal
· plus at least one of:
o recent Phase 1C endpoint correlation within 60 minutes
o first-seen validation or access-establishing action for that principal
o repeated suspicious identity-validation behavior in a bounded interval
o federation or token-adjacent validation behavior in abnormal context
This rule must not be deployed as a generic non-corporate login analytic.
Detection Logic
· Detect successful ConsoleLogin, GetCallerIdentity, GetFederationToken, or AssumeRole events
· Exclude approved service principals and approved corporate ranges
· Require abnormal source, region, or user-agent context
· Require one or more:
o recent Phase 1C correlation
o first-seen validation or access-establishing action
o repeated suspicious validation behavior
o federation or token-validation-style behavior
· Preserve principal, source IP, user agent, region, and action sequence for triage
Operational Context
· Highest value in environments using federated enterprise identities into AWS
· Strong signal when attackers pivot from locally staged authentication material into AWS validation or early role-backed access testing
· Especially useful before broader replay or role-abuse behavior appears
· If baseline IP, region, or user-agent modeling is unavailable, do not treat this as final production detection without local adaptation
System-Ready Code
SELECT
eventtime,
useridentity.arn AS principal_arn,
sourceipaddress AS source_ip,
eventname,
useragent,
awsregion
FROM cloudtrail_logs
WHERE eventname IN ('ConsoleLogin','GetCallerIdentity','GetFederationToken','AssumeRole')
AND errorcode IS NULL
AND useridentity.arn NOT IN (
SELECT principal FROM approved_service_principals
)
AND sourceipaddress NOT IN (
SELECT ip_or_range FROM approved_corporate_ranges
)
AND (
sourceipaddress NOT IN (
SELECT ip FROM baseline_ip_by_principal
WHERE principal = useridentity.arn
)
OR awsregion NOT IN (
SELECT region FROM baseline_region_by_principal
WHERE principal = useridentity.arn
)
OR useragent NOT IN (
SELECT user_agent FROM baseline_user_agent_by_principal
WHERE principal = useridentity.arn
)
)
AND (
useridentity.arn IN (
SELECT principal
FROM recent_phase1c_principals
WHERE seen_time >= NOW() - INTERVAL '60 minutes'
)
OR (useridentity.arn, eventname) IN (
SELECT principal, action_name
FROM first_seen_identity_validation
)
OR useridentity.arn IN (
SELECT principal_arn
FROM repeated_identity_validation_window
WHERE validation_count > 1
)
OR eventname IN ('GetFederationToken','AssumeRole')
);
Azure
Rule Name
CyberDax Suspicious Microsoft Entra Validation or Early Access Behavior Following Authentication Material Staging Indicators
Purpose
Detect likely attacker use of locally staged cookies, refresh tokens, or alternate authentication material by identifying suspicious successful Entra validation or early access behavior from abnormal device, IP, or client context shortly after Phase 1C endpoint signals.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1539 – Steal Web Session Cookie
· T1078 – Valid Accounts
Telemetry Dependency
· Microsoft Entra SigninLogs
· Successful sign-in events
· User principal, source IP, device context, user agent, app context
· Watchlists for:
o approved corporate IP ranges
o approved automation identities
· Optional but strongly recommended:
o trusted or named-location suppression
o device trust state
o baseline or enrichment data for new or rare IP, device, or user-agent context
o correlation flag from recent Phase 1C endpoint detections
o sign-in risk or token-protection context where locally available
Tuning Explanation
This is a primary cloud identity detector for Phase 1C and is tuned for early successful validation and access behavior after local authentication-material staging, not generic sign-in anomaly detection. It requires:
· successful sign-in activity
· abnormal context such as:
o non-corporate source IP
o rare or unmanaged device context
o uncommon user agent
· plus at least one of:
o recent Phase 1C endpoint correlation within 60 minutes
o repeated suspicious sign-in behavior in a bounded interval
o multi-application successful validation in abnormal context
o device trust mismatch or risk amplification where available
This rule must not be deployed as a generic new-device or non-corporate sign-in rule.
Detection Logic
· Detect successful Entra sign-ins
· Exclude approved corporate IP ranges and approved automation identities
· Summarize short-window activity by user, IP, device, user agent, and application count
· Require abnormal context
· Require one or more:
o recent Phase 1C correlation
o repeated suspicious sign-in behavior
o multi-app successful validation in abnormal context
o unmanaged-device or trust-mismatch condition
· Preserve user, source IP, device, user agent, and app context for triage
Operational Context
· Highest value where enterprise identities provide access to Microsoft cloud services
· Strong signal when attackers pivot from locally staged auth artifacts into successful but unusual Entra-backed access
· Especially valuable where stolen cookies or refresh tokens can generate successful sign-ins that do not look like password attacks
· If trusted-location suppression or device context is unavailable, do not treat this as final production detection without local adaptation
System-Ready Code
let ApprovedIPs = _GetWatchlist('cyberdax_approved_ip_ranges') | project SearchKey;
let AutomationAccounts = _GetWatchlist('cyberdax_automation_accounts') | project SearchKey;
let Phase1CUsers = _GetWatchlist('cyberdax_recent_phase1c_users') | project SearchKey;
SigninLogs
| where ResultType == 0
| where UserPrincipalName !in (AutomationAccounts)
| where IPAddress !in (ApprovedIPs)
| extend DeviceId = tostring(DeviceDetail.deviceId),
IsManaged = tostring(DeviceDetail.isManaged),
UA = tostring(UserAgent)
| summarize sign_in_count = count(),
first_seen = min(TimeGenerated),
last_seen = max(TimeGenerated),
app_count = dcount(AppDisplayName),
apps = make_set(AppDisplayName)
by UserPrincipalName, IPAddress, DeviceId, IsManaged, UA, bin(TimeGenerated, 30m)
| extend phase1c = UserPrincipalName in (Phase1CUsers)
| where phase1c == true
or sign_in_count > 1
or app_count > 1
or IsManaged == "false"
Deployment Note
· If approved IP watchlists are unavailable, substitute trusted-location or named-location suppression
· If device trust fields are unavailable, do not treat unmanaged-device logic as final production gating without local adaptation
· Successful sign-in alone must not be treated as suspicious without abnormal context, correlation, or additional validation indicators
GCP
Rule Name
CyberDax Suspicious GCP Validation or Early Access Behavior Following Authentication Material Staging Indicators
Purpose
Detect likely attacker use of locally staged cookies, refresh tokens, or alternate authentication material by identifying suspicious authenticated GCP validation or early access-establishment behavior from abnormal principal context shortly after Phase 1C endpoint signals.
ATT&CK Technique
· T1550 – Use of Alternate Authentication Material
· T1078 – Valid Accounts
· T1098 – Account Manipulation
Telemetry Dependency
· GCP Cloud Audit Logs
· Principal identity, caller IP, method name, project context
· Approved corporate IP allowlists
· Optional but strongly recommended:
o service account and automation allowlists
o baseline caller IP by principal
o first-seen method usage by principal
o repeated validation modeling
o correlation with recent Phase 1C endpoint detections
Tuning Explanation
This is a primary GCP follow-on detector for Phase 1C and is tuned for validation and access-establishing behavior after local auth-artifact staging, not broad post-compromise cloud abuse. It requires:
· authenticated validation-related or access-establishing GCP activity
· abnormal principal context such as:
o caller IP not previously associated with the principal
· plus at least one of:
o recent Phase 1C endpoint correlation within 60 minutes
o first-seen validation or access-establishing method usage
o repeated suspicious validation behavior
o validation-adjacent method usage such as GenerateAccessToken, GenerateIdToken, or GetIamPolicy
This rule must not be treated as a generic abnormal cloud login analytic.
Detection Logic
· Detect authenticated GCP validation-related or access-establishing activity
· Exclude approved corporate ranges
· Require abnormal caller context
· Require one or more:
o recent Phase 1C correlation
o first-seen validation or access-establishing method usage
o repeated suspicious validation behavior
o validation-adjacent method usage
· Preserve principal, caller IP, method, and project context for triage
Operational Context
· Highest value in organizations using federated enterprise identities into GCP
· Strong detector for post-staging cloud pivot activity before broader abuse
· Requires baseline method modeling for highest fidelity
· If baseline caller context is unavailable, do not treat this as final production detection without local adaptation
System-Ready Code
SELECT
timestamp,
protopayload_auditlog.authenticationInfo.principalEmail AS principal_email,
protopayload_auditlog.methodName AS method_name,
protopayload_auditlog.requestMetadata.callerIp AS caller_ip,
resource.labels.project_id AS project_id
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE protopayload_auditlog.authenticationInfo.principalEmail IS NOT NULL
AND protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip_or_range FROM `project.dataset.approved_corporate_ranges`
)
AND protopayload_auditlog.requestMetadata.callerIp NOT IN (
SELECT ip
FROM `project.dataset.baseline_ip_by_principal`
WHERE principal = protopayload_auditlog.authenticationInfo.principalEmail
)
AND (
protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM `project.dataset.recent_phase1c_principals`
WHERE seen_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 60 MINUTE)
)
OR (
protopayload_auditlog.authenticationInfo.principalEmail,
protopayload_auditlog.methodName
) IN (
SELECT principal, method_name
FROM `project.dataset.first_seen_methods`
)
OR protopayload_auditlog.authenticationInfo.principalEmail IN (
SELECT principal
FROM `project.dataset.repeated_validation_activity`
WHERE validation_count > 1
)
OR protopayload_auditlog.methodName IN (
'GenerateAccessToken',
'GenerateIdToken',
'GetIamPolicy'
)
);
S26 Detection Coverage Disposition Validation
Detection coverage must be evaluated against the full attack chain to ensure that each behavior is either detected, partially detected, or identified as a coverage gap.
· Coverage must map directly to behaviors defined in S18–S22
· Each behavior must have an associated detection rule, hunt procedure, or explicit gap statement
· Coverage classification must be consistent with telemetry availability
· Any behavior with an associated detection rule defaults to Detected unless justified otherwise
S26A Threat-to-Rule Traceability Matrix
· T1566 Phishing → Email telemetry correlation → Coverage: Detected
· T1204 User Execution → Identity interaction monitoring → Coverage: Partially Detected
· T1550 Use of Authentication Tokens → Session anomaly detection → Coverage: Not Covered
· T1555 Credentials from Password Stores → Endpoint credential monitoring → Coverage: Partially Detected
· T1098 Account Manipulation → Identity change monitoring → Coverage: Partially Detected
· T1021 Remote Services → Lateral movement monitoring → Coverage: Partially Detected
· T1071 Application Layer Protocol → Network anomaly detection → Coverage: Detected
· T1041 Exfiltration Over C2 Channel → Data exfiltration monitoring → Coverage: Partially Detected
S26B Coverage Disposition Summary
· Detected Behaviors:
o Phishing interaction signals with advanced email telemetry
o Network communication with suspicious domains
· Partially Detected Behaviors:
o Authentication anomalies without session correlation
o Credential access within valid user sessions
o Privilege escalation through legitimate account manipulation
· Not Covered Behaviors:
o Token reuse and session hijacking without session telemetry
o Multi-stage correlation across identity, endpoint, and network telemetry
· Conditional Post-Exploitation Behaviors:
o Advanced persistence and privilege abuse depending on attacker objectives and target environment
S26C Coverage Validation Outcome
· Detection capability is fragmented across telemetry sources
· Individual signals are observable but not operationalized into correlated detections
· SIEM systems lack stateful tracking required for identity-driven attack detection
· Overall detection posture is insufficient for identifying full attack chains
S26D Coverage Disposition Enforcement Statement
· All identified behaviors have been evaluated against detection coverage
· Behaviors lacking detection capability are explicitly classified as Not Covered
· Detection gaps are attributed to lack of correlation, not lack of telemetry
· Coverage disposition aligns with CyberDax rule-accountability standards
S27 Behavior and Log Artifacts
Behavioral signals must be correlated across telemetry pillars to identify attack progression.
· Identity-driven anomalies linked to endpoint and network behavior
· Session continuity anomalies indicating token reuse
· Cross-telemetry signals indicating coordinated attacker activity
S27A Infrastructure Intelligence
· Domain Patterns:
o Newly registered domains with rapid rotation
o Domains impersonating identity providers and SaaS platforms
· Hosting Patterns:
o Use of distributed VPS infrastructure across multiple ASNs
o Rapid provisioning and teardown to evade blocking
· Certificate Patterns:
o Automated TLS certificate issuance enabling trusted HTTPS communication
· Session Abuse Infrastructure:
o Proxy-based infrastructure for session capture and reuse
o Redirect chains used to maintain session validity
· Infrastructure Reuse:
o Shared phishing kits and backend infrastructure across campaigns
S28 Detection Strategy
Detection must be engineered to correlate behavior across identity, endpoint, and network telemetry.
· Prioritize identity-centric detection models
· Correlate multi-stage activity across time
· Integrate telemetry sources into unified detection logic
· Detect behavioral deviations rather than static indicators
S29 Detection Coverage Matrix (Strategic Layer)
· Endpoint Telemetry:
o Strong coverage for process and credential access visibility
o Gaps in session-context awareness
· Identity Telemetry:
o Strong coverage for authentication events
o Gaps in session lifecycle tracking
· Network Telemetry:
o Strong coverage for domain communication
o Gaps in attribution to user sessions
· Email Telemetry:
o Strong coverage for phishing detection
o Gaps in correlation to downstream activity
S30 Detection Validation
Detection effectiveness depends on the ability to correlate signals across all telemetry pillars.
· Detection failures are driven by lack of correlation rather than lack of visibility
· Behavioral detection models are required to identify identity-driven attacks
· SIEM systems must evolve to support multi-stage anomaly detection
· Detection validation confirms that current approaches are insufficient for modern attack models
S31 — Defensive Control and Hardening Architecture
Identity Security Layer
· Enforce phishing-resistant MFA across all external and privileged access paths
· Apply conditional access using device trust, IP reputation, and session risk to block abnormal identity validation behavior
· Enforce token protection and session binding to prevent reuse of stolen authentication material
· Restrict OAuth consent and service principal abuse to limit token-based persistence pathways
· Detect and invalidate anomalous sessions associated with abnormal identity validation
· Enforce least privilege to limit impact of compromised identities
Endpoint Security Layer
· Detect unauthorized access to browser credential stores to disrupt credential harvesting behavior
· Detect access to cookie stores and session artifacts outside browser processes
· Detect memory access targeting browser processes associated with token and session handling
· Restrict execution of credential extraction and memory access tooling through application control
· Monitor abnormal process lineage involving browsers and scripting engines
Email Security Layer
· Detect phishing delivery including credential harvesting templates and HTML smuggling techniques
· Block malicious attachments and embedded scripts used to initiate credential access
· Detect domain impersonation and newly registered domains associated with phishing infrastructure
· Correlate email delivery events with downstream endpoint activity
Network Security Layer
· Detect DNS resolution to newly registered and suspicious domains associated with phishing infrastructure
· Detect abnormal outbound communication patterns including low-frequency validation traffic
· Block communication with known malicious infrastructure
· Correlate network telemetry with endpoint and identity signals to identify attack progression
Detection and SOC Operations Layer
· Correlate email, endpoint, and identity signals to detect multi-stage attack chains
· Prioritize detection of credential access, session artifact handling, and identity validation behavior
· Enrich detections with user, device, and session context
· Execute containment actions including session invalidation and account restriction
Strategic Hardening Alignment
· Align controls to attacker behavior stages rather than technology domains
· Prioritize prevention of credential and session artifact access
· Ensure all controls support detection logic defined in S25 and S32
S32 — Detection Engineering Matrix (Operational Rule Layer)
Credential Store Access (Phase 1A)
· Behavior: Unauthorized access to browser credential storage
· ATT&CK Technique: T1555 – Credentials from Password Stores
· Detection Signal:
o Non-browser process accessing credential database paths
o Abnormal file access to credential storage locations
· Telemetry Source:
o Endpoint process telemetry
o File access logs for browser credential paths
· S25 Rule Mapping:
o SentinelOne Phase 1A credential store access rule
o Splunk Phase 1A credential file access correlation rule
o Sigma Phase 1A browser credential access rule
· Coverage Disposition: Detected
· Detection Notes:
o Requires file path monitoring and process lineage visibility
Session Artifact Access (Phase 1B-B)
· Behavior: Unauthorized access to browser session artifacts
· ATT&CK Technique: T1539 – Steal Web Session Cookie
· Detection Signal:
o Non-browser access to cookie and session storage
o File access to browser session data outside normal context
· Telemetry Source:
o Endpoint file access logs
o Process execution telemetry
· S25 Rule Mapping:
o SentinelOne Phase 1B-B session artifact access rule
o Splunk Phase 1B-B session file correlation rule
o Sigma Phase 1B-B session artifact detection
o YARA Phase 1B-B session extraction workflow rule
· Coverage Disposition: Detected
· Detection Notes:
o High fidelity when combined with process context
Token and Session Artifact Handling (Phase 1C)
· Behavior: Memory access and staging of authentication material
· ATT&CK Technique:
o T1550 – Use of Alternate Authentication Material
o T1539 – Steal Web Session Cookie
· Detection Signal:
o Memory access targeting browser processes
o Abnormal process handle interaction with browser memory
· Telemetry Source:
o EDR memory access telemetry
o Process interaction logs
· S25 Rule Mapping:
o SentinelOne Phase 1C memory access rule
o Splunk Phase 1C process-memory correlation rule
o Elastic Phase 1C endpoint memory analytics
o YARA Phase 1C token extraction rule
· Coverage Disposition: Detected
· Detection Notes:
o Requires EDR memory telemetry and suppression of legitimate tooling
Identity Validation Behavior (Post-Phase 1C)
· Behavior: Abnormal identity validation using compromised authentication material
· ATT&CK Technique:
o T1078 – Valid Accounts
o T1550 – Alternate Authentication Material
· Detection Signal:
o Successful authentication from abnormal IP, device, or user agent
o First-seen validation or repeated validation behavior
· Telemetry Source:
o Azure Entra SigninLogs
o AWS CloudTrail authentication events
o GCP audit authentication logs
· S25 Rule Mapping:
o AWS Phase 1C validation behavior rule
o Azure Phase 1C validation rule
o GCP Phase 1C validation rule
· Coverage Disposition: Partially Detected
· Detection Notes:
o Requires baseline modeling and correlation with endpoint signals
Multi-Stage Attack Correlation
· Behavior: Sequential attack chain across email, endpoint, and identity
· ATT&CK Technique:
o Multiple techniques across attack lifecycle
· Detection Signal:
o Phishing delivery followed by endpoint artifact access and identity validation
· Telemetry Source:
o Email logs
o Endpoint telemetry
o Identity logs
o Network telemetry
· S25 Rule Mapping:
o Cross-phase SIEM correlation rules
· Coverage Disposition: Partially Detected
· Detection Notes:
o Requires cross-domain telemetry integration and timing correlation
S33 — Strategic Defensive Improvements
Identity Security Improvements
· Implement phishing-resistant MFA to reduce successful credential compromise
· Enforce token protection to prevent reuse of authentication material
· Apply risk-based conditional access to reduce abnormal identity validation success
Endpoint Security Improvements
· Expand detection coverage for credential store, session artifact, and memory access behavior
· Restrict execution of credential extraction tooling
· Improve visibility into browser storage and process interaction telemetry
Email Security Improvements
· Enhance detection of credential harvesting campaigns and HTML smuggling
· Improve domain impersonation detection
· Strengthen correlation between email delivery and endpoint activity
Network and Infrastructure Improvements
· Improve detection of suspicious DNS queries and phishing infrastructure
· Enhance visibility into attacker infrastructure patterns including domain and ASN behavior
· Improve detection of abnormal outbound validation communication
Detection Engineering Improvements
· Transition to behavior-based detection models
· Implement multi-stage correlation across telemetry sources
· Continuously validate detection logic against evolving attacker techniques
SOC Operational Improvements
· Improve response workflows for identity compromise and session misuse
· Enhance alert enrichment and investigation processes
· Conduct adversary simulation to validate detection coverage
Control Impact Mapping
· MFA reduces likelihood of credential compromise
· Endpoint controls reduce credential and session artifact access
· Email controls reduce phishing success rate
· Network controls reduce attacker infrastructure communication
· Detection improvements reduce dwell time and improve early detection
S34 — Defensive Control & Hardening Architecture
Architecture Objective
· Establish a behavior-driven defensive architecture that detects and disrupts identity-based, multi-stage attacks
· Replace isolated control enforcement with correlation-enabled detection across telemetry domains
Identity-Centric Security Core
· Position identity as the primary control plane for access validation
· Enforce MFA, conditional access, and session controls governing identity validation behavior
· Integrate identity telemetry as a required signal for multi-stage detection
Endpoint Behavioral Enforcement Layer
· Capture endpoint behaviors including credential store access, session artifact interaction, and memory access targeting browser processes
· Enforce controls that disrupt credential harvesting and authentication material staging
· Feed endpoint telemetry directly into correlation pipelines
Email-Origin Attack Chain Integration
· Treat email as the initial attack vector and correlate delivery events with endpoint activity
· Enable early detection of credential harvesting campaigns
· Integrate email telemetry into multi-stage detection workflows
Network and Infrastructure Visibility Layer
· Integrate DNS and network telemetry to detect attacker infrastructure and validation traffic
· Maintain visibility into domain patterns, hosting behavior, and infrastructure reuse
· Feed network telemetry into correlation models
Cross-Telemetry Correlation Layer
· Correlate signals across email, endpoint, and identity domains
· Detect attacks as behavioral sequences rather than isolated events
· Enable SIEM evolution toward correlation-driven detection
Response Orchestration Layer
· Execute coordinated response across identity, endpoint, and network controls
· Prioritize session invalidation, account restriction, and host containment
· Align response actions to attack stage
Architectural Alignment to SIEM Limitations
· Eliminate reliance on single-event detection
· Enable multi-stage behavioral correlation
· Integrate telemetry across domains to address SIEM detection gaps
S35 — Defensive Control Mapping Matrix
Credential Store Access (Phase 1A)
· Behavior:
o Unauthorized access to browser credential storage
· Preventive Controls:
o Enforce application control to restrict access to credential store paths
o Enforce file system controls on browser credential directories
· Detective Controls:
o Detect non-browser process access to credential databases
o Detect abnormal process lineage associated with credential access
· Response Controls:
o Terminate processes accessing credential stores
o Isolate affected endpoints
· Telemetry Dependencies:
o EDR file access telemetry
o Process execution and lineage logs
· S25 Detection Mapping:
o SentinelOne Phase 1A credential store access rule
o Splunk Phase 1A credential file access correlation rule
o Sigma Phase 1A credential access detection
Session Artifact Access (Phase 1B-B)
· Behavior:
o Unauthorized access to browser session artifacts
· Preventive Controls:
o Enforce restriction of browser storage access to approved processes
o Enforce hardening of session storage directories
· Detective Controls:
o Detect non-browser access to cookie and session storage
o Detect file access to browser session data outside normal context
· Response Controls:
o Invalidate active sessions
o Reset affected credentials
· Telemetry Dependencies:
o Endpoint file access telemetry
o Process execution and lineage logs
· S25 Detection Mapping:
o SentinelOne Phase 1B-B session artifact access rule
o Splunk Phase 1B-B session artifact correlation rule
o Sigma Phase 1B-B session artifact detection
o YARA Phase 1B-B session extraction workflow rule
Token and Authentication Material Handling (Phase 1C)
· Behavior:
o Memory access and staging of authentication material
· Preventive Controls:
o Enforce token binding and session protection
o Enforce restriction of memory access to browser processes
· Detective Controls:
o Detect process memory access targeting browser processes
o Detect abnormal handle interaction with browser memory
· Response Controls:
o Revoke authentication tokens
o Restrict affected accounts
· Telemetry Dependencies:
o EDR memory access telemetry
o Process interaction and handle access logs
· S25 Detection Mapping:
o SentinelOne Phase 1C memory access rule
o Splunk Phase 1C process-memory correlation rule
o Elastic Phase 1C endpoint memory analytics
o YARA Phase 1C token extraction detection
Identity Validation Behavior (Post-Phase 1C)
· Behavior:
o Abnormal authentication using compromised credentials or tokens
· Preventive Controls:
o Enforce MFA across all access points
o Enforce conditional access policies based on risk signals
· Detective Controls:
o Detect abnormal authentication patterns across IP, device, and user agent
o Detect first-seen or anomalous identity validation behavior
· Response Controls:
o Invalidate active sessions
o Revoke access and restrict accounts
· Telemetry Dependencies:
o Azure Entra SigninLogs
o AWS CloudTrail authentication events
o GCP audit authentication logs
· S25 Detection Mapping:
o AWS Phase 1C validation behavior rule
o Azure Phase 1C validation rule
o GCP Phase 1C validation rule
Multi-Stage Attack Correlation
· Behavior:
o Sequential attack progression across email, endpoint, and identity domains
· Preventive Controls:
o Not known at this time.
· Detective Controls:
o Detect correlated sequence of phishing delivery, endpoint activity, and identity validation
o Detect temporal linkage across telemetry domains
· Response Controls:
o Execute coordinated containment across identity, endpoint, and network systems
· Telemetry Dependencies:
o Email gateway logs
o Endpoint telemetry
o Identity logs
o Network telemetry
· S25 Detection Mapping:
o Cross-phase SIEM correlation rules combining Phase 1A, Phase 1B-B, and Phase 1C detections
S36 — CyberDax Intelligence Maturity Assessment
Detection Maturity
· Behavior-driven detection implemented across credential and identity attack stages
· Correlation across telemetry domains partially mature
Telemetry Coverage Maturity
· Endpoint telemetry: Strong
· Identity telemetry: Moderate
· Email telemetry: Moderate
· Network telemetry: Moderate
Detection Engineering Maturity
· Detection logic aligned to attacker behavior
· Correlation capabilities require improvement
Response Readiness
· Containment capabilities present for identity compromise
· Automation requires improvement
Security Hardening Maturity
· Identity controls partially mature
· Endpoint controls aligned to credential protection
· Integration across domains requires improvement
Maturity Level
· Intermediate progressing toward Advanced
S30 Security Program Integration Note
· Improvements align to identity security, endpoint protection, and SOC modernization
S37 — Strategic Defensive Improvements
Identity Security Improvements
· Deploy phishing-resistant MFA
· Enforce token protection and session binding
· Strengthen conditional access for identity validation
Endpoint Security Improvements
· Expand detection of credential and session artifact access
· Improve memory access visibility
· Restrict execution of credential extraction tools
Email Security Improvements
· Enhance detection of phishing and credential harvesting
· Improve domain impersonation detection
· Strengthen email-to-endpoint correlation
Network and Infrastructure Improvements
· Improve detection of suspicious DNS and attacker infrastructure
· Enhance infrastructure intelligence integration
· Improve detection of validation-related communication
Detection Engineering Improvements
· Fully implement behavior-based detection models
· Expand multi-stage correlation
· Continuously validate detection logic
SOC Operational Improvements
· Improve response workflows for identity compromise
· Enhance alert enrichment and investigation
· Conduct adversary simulation
Control Impact Mapping
· MFA reduces credential compromise
· Endpoint controls reduce credential and session artifact access
· Email controls reduce phishing success
· Network controls reduce attacker communication
· Detection improvements reduce dwell time
S38 — Attack Economics & Organizational Impact Model
Attacker Cost Model
· Low cost for credential harvesting campaigns
· Minimal infrastructure required
· High scalability
Defender Cost Model
· High cost for correlation-based detection
· Operational overhead for monitoring multi-stage attacks
· Investment required for identity security
Monetization Paths
· Account takeover
· Initial access brokerage
· Data access and exfiltration
· Ransomware enablement
Organizational Cost Drivers
· Incident response
· Business disruption
· Regulatory exposure
· Reputation impact
S39 — Economic Impact & Organizational Exposure
Operational Exposure
· Unauthorized access to enterprise systems
· Lateral movement across identity infrastructure
· Service disruption
Financial Exposure
· Low scenario: limited compromise
· Moderate scenario: multiple account compromise
· High scenario: enterprise-wide identity compromise
Risk Drivers
· Weak identity controls
· Lack of multi-stage correlation
· Insufficient telemetry integration
Risk Reduction Factors
· Strong identity security
· Mature detection engineering
· Effective SOC operations
S40 — References
Security Vendor Analysis
· Microsoft Digital Defense Report detailing identity-driven attack trends
· hxxps://www.microsoft[.]com/en-us/security/business/security-insider/microsoft-digital-defense-report
· Mandiant M-Trends report on attacker behavior and detection gaps
· hxxps://www.mandiant[.]com/resources/reports/m-trends
· Google Threat Horizons report on credential abuse and identity attacks
· hxxps://cloud.google[.]com/threat-horizons
· Okta identity threat landscape report on credential and session abuse
· hxxps://www.okta[.]com/resources/whitepaper/identity-security-threat-landscape
Analytical Framework
· MITRE ATT&CK framework for behavioral mapping
hxxps://attack.mitre[.]org
