T1217: Browser Information Discovery

View on MITRE ATT&CK	T1217
Tactic(s)	Discovery
Associated CAPEC Patterns	Footprinting (CAPEC-169)

Data from MITRE ATT&CK®:

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

Detailed Analysis of DarkGate

This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...

View Source

Report

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...

View Source

Report

Scattered Spider Advisory AA23-320A

This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until ...

View Source

How to detect this technique

MITRE ATT&CK Data Components

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

List Internet Explorer Bookmarks using the command prompt

List Mozilla Firefox Bookmark Database Files on macOS

List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt

List Safari Bookmarks on MacOS

List Google Chromium Bookmark JSON Files on FreeBSD

List Google Chrome Bookmark JSON Files on macOS

List Google Chrome / Opera Bookmarks on Windows with powershell

List Mozilla Firefox bookmarks on Windows with command prompt

List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux

Sigma Detections for this Technique

File Enumeration Via Dir Command

windows process creation

Suspicious Where Execution

windows process creation

Automated Collection Bookmarks Using Get-ChildItem PowerShell

windows ps script