Technique on mitre.org

T1217: Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

There are multiple implementations of this technique. Basic methods of its detection are given below. — Monitoring of events related to access to data saved by browsers, such as local files and databases. For example, places.sqlite (Firefox), Bookmarks at C:\Users, bookmarks at %USERPROFILE%\Favorites (IE on Windows), files at %APPDATA%/Google/Chrome, file %USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState. — Monitoring of events related to access to the above files (introduced as command line arguments) using native OS means, such as cmd, WMI, or PowerShell.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`).

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`). Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for unusual access to stored browser data, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`). Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`).
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`). Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.
DS0022	File: File Access	Monitor for unusual access to stored browser data, such as local files and databases (e.g., `%APPDATA%/Google/Chrome`). Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration.