cscli scenarios install sigmahq/proc_creation_win_sqlite_chromium_profile_data1type: trigger2name: sigmahq/proc_creation_win_sqlite_chromium_profile_data3description: |4 Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Product == 'SQLite' || evt.Parsed.Image endsWith '\\sqlite.exe' || evt.Parsed.Image endsWith '\\sqlite3.exe') && (evt.Parsed.CommandLine contains '\\User Data\\' || evt.Parsed.CommandLine contains '\\Opera Software\\' || evt.Parsed.CommandLine contains '\\ChromiumViewer\\') && (evt.Parsed.CommandLine contains 'Login Data' || evt.Parsed.CommandLine contains 'Cookies' || evt.Parsed.CommandLine contains 'Web Data' || evt.Parsed.CommandLine contains 'History' || evt.Parsed.CommandLine contains 'Bookmarks'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t153915 - attack.t1555.00316 - attack.t10051718 label: "SQLite Chromium Profile Data DB Access"19 behavior : "windows:audit"20 remediation: false2122scope:23 type: ParentProcessId24 expression: evt.Parsed.ParentProcessId2526