PT Sandbox

Profound defense against sophisticated malware and zero-day threats

T1217: Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

IDDS0022Data source and componentFile: File AccessDescription

Monitor for unusual access to stored browser data, such as local files and databases (e.g., %APPDATA%/Google/Chrome). Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome). Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.