Ctrl+K

T1217 - Browser Information Discovery

Contents

T1217 - Browser Information Discovery#

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)

Atomic Tests#

Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on FreeBSD/LinuxSearches for Mozilla Firefox’s places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file.#

Supported Platforms: linux#### Attack Commands: Run with sh

find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> /tmp/T1217-Firefox.txt \;
cat /tmp/T1217-Firefox.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 1

Cleanup:#

rm -f /tmp/T1217-Firefox.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 1 -Cleanup

Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOSSearches for Mozilla Firefox’s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.#

Supported Platforms: macos#### Attack Commands: Run with sh

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/T1217_Firefox.txt \;
cat /tmp/T1217_Firefox.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 2

Cleanup:#

rm -f /tmp/T1217_Firefox.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 2 -Cleanup

Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOSSearches for Google Chrome’s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.#

Supported Platforms: macos#### Attack Commands: Run with sh

find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/T1217-Chrome.txt \;
cat /tmp/T1217-Chrome.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 3

Cleanup:#

rm -f /tmp/T1217-Chrome.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 3 -Cleanup

Atomic Test #4 - List Google Chromium Bookmark JSON Files on FreeBSDSearches for Google Chromium’s Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file.#

Supported Platforms: linux#### Attack Commands: Run with sh

find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> /tmp/T1217-Chrome.txt \;
cat /tmp/T1217-Chrome.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 4

Cleanup:#

rm -f /tmp/T1217-Chrome.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 4 -Cleanup

Atomic Test #5 - List Google Chrome / Opera Bookmarks on Windows with powershellSearches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks.#

Upon execution, paths that contain bookmark files will be displayed. Supported Platforms: windows#### Attack Commands: Run with powershell

Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force

Invoke-AtomicTest T1217 -TestNumbers 5

Atomic Test #6 - List Google Chrome / Edge Chromium Bookmarks on Windows with command promptSearches for Google Chromes’s and Edge Chromium’s Bookmarks file (on Windows distributions) that contains bookmarks.#

Upon execution, paths that contain bookmark files will be displayed. Supported Platforms: windows#### Attack Commands: Run with command_prompt

where /R C:\Users\ Bookmarks

Invoke-AtomicTest T1217 -TestNumbers 6

Atomic Test #7 - List Mozilla Firefox bookmarks on Windows with command promptSearches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.#

Upon execution, paths that contain bookmark files will be displayed. Supported Platforms: windows#### Attack Commands: Run with command_prompt

where /R C:\Users\ places.sqlite

Invoke-AtomicTest T1217 -TestNumbers 7

Atomic Test #8 - List Internet Explorer Bookmarks using the command promptThis test will list the bookmarks for Internet Explorer that are found in the Favorites folderSupported Platforms: windows#### Attack Commands: Run with command_prompt#

dir /s /b %USERPROFILE%\Favorites

Invoke-AtomicTest T1217 -TestNumbers 8

Atomic Test #9 - List Safari Bookmarks on MacOSThis test searches for Safari’s Bookmarks file (on macOS) and lists any found instances to a text file.#

Supported Platforms: macos#### Attack Commands: Run with sh

find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> /tmp/T1217-Safari.txt 
cat /tmp/T1217-Safari.txt 

Invoke-AtomicTest T1217 -TestNumbers 9

Cleanup:#

rm -f /tmp/T1217-Safari.txt 2>/dev/null

Invoke-AtomicTest T1217 -TestNumbers 9 -Cleanup

Detection#

Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Shield Active Defense#

Decoy Content#

Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.

Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.

Opportunity#

There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.

Use Case#

A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement.

Procedures#

Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data. Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary.

Contents