The detection rule identifies potential adversary activity through unusual cookie creation or modification patterns, which may indicate persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy tactics that evade traditional detection methods.
YARA Rule
rule Cookies
{
meta:
description = "Cookies"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
CookiesStrings
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Chrome DevTools to manually inspect and modify cookies for debugging purposes.
Filter/Exclusion: Exclude traffic originating from known admin workstations (e.g., src_ip = 192.168.1.100) or user agents associated with development tools (user_agent = "Chrome DevTools").
Scenario: A scheduled job runs nightly to clear session cookies using a script or tool like curl or Python requests.
Filter/Exclusion: Exclude requests with a specific header or payload (e.g., request_body = "clear_cookies"), or filter by job name (job_name = "nightly_cookie_cleanup").
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is configured to set cookies for testing purposes during automated builds.
Filter/Exclusion: Exclude traffic from CI/CD agents (e.g., src_ip = 10.0.0.0/24) or filter by job identifier in the request headers (X-Jenkins or X-GitHub-Action).
Scenario: A third-party analytics tool (e.g., Google Analytics, Mixpanel) sets cookies as part of normal operation.
Filter/Exclusion: Exclude requests to known analytics domains (e.g., dest_ip = 216.239.61.100 for Google Analytics) or filter by cookie names (e.g., cookie_name = "ga", cookie_name = "mp_123456789").
Scenario: A security tool (e.g., Wazuh, OSSEC) is configured to test cookie handling or inject test cookies during security assessments.
**Filter/Ex