security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1217/T1217.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

418 lines
10 KiB
Markdown
Raw Permalink Blame History

# T1217 - Browser Bookmark Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1217)
<blockquote>
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux](#atomic-test-1---list-mozilla-firefox-bookmark-database-files-on-freebsdlinux)
- [Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS](#atomic-test-2---list-mozilla-firefox-bookmark-database-files-on-macos)
- [Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS](#atomic-test-3---list-google-chrome-bookmark-json-files-on-macos)
- [Atomic Test #4 - List Google Chromium Bookmark JSON Files on FreeBSD](#atomic-test-4---list-google-chromium-bookmark-json-files-on-freebsd)
- [Atomic Test #5 - List Google Chrome / Opera Bookmarks on Windows with powershell](#atomic-test-5---list-google-chrome--opera-bookmarks-on-windows-with-powershell)
- [Atomic Test #6 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt](#atomic-test-6---list-google-chrome--edge-chromium-bookmarks-on-windows-with-command-prompt)
- [Atomic Test #7 - List Mozilla Firefox bookmarks on Windows with command prompt](#atomic-test-7---list-mozilla-firefox-bookmarks-on-windows-with-command-prompt)
- [Atomic Test #8 - List Internet Explorer Bookmarks using the command prompt](#atomic-test-8---list-internet-explorer-bookmarks-using-the-command-prompt)
- [Atomic Test #9 - List Safari Bookmarks on MacOS](#atomic-test-9---list-safari-bookmarks-on-macos)
- [Atomic Test #10 - Extract Edge Browsing History](#atomic-test-10---extract-edge-browsing-history)
- [Atomic Test #11 - Extract chrome Browsing History](#atomic-test-11---extract-chrome-browsing-history)
<br/>
## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux
Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file.
**Supported Platforms:** Linux
**auto_generated_guid:** 3a41f169-a5ab-407f-9269-abafdb5da6c2
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed. | path | /tmp/T1217-Firefox.txt|
#### Attack Commands: Run with `sh`!
```sh
find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
```
#### Cleanup Commands:
```sh
rm -f #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS
Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
**Supported Platforms:** macOS
**auto_generated_guid:** 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed. | path | /tmp/T1217_Firefox.txt|
#### Attack Commands: Run with `sh`!
```sh
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
```
#### Cleanup Commands:
```sh
rm -f #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS
Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.
**Supported Platforms:** macOS
**auto_generated_guid:** b789d341-154b-4a42-a071-9111588be9bc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed. | path | /tmp/T1217-Chrome.txt|
#### Attack Commands: Run with `sh`!
```sh
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
```
#### Cleanup Commands:
```sh
rm -f #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #4 - List Google Chromium Bookmark JSON Files on FreeBSD
Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file.
**Supported Platforms:** Linux
**auto_generated_guid:** 88ca025b-3040-44eb-9168-bd8af22b82fa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed. | path | /tmp/T1217-Chrome.txt|
#### Attack Commands: Run with `sh`!
```sh
find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
```
#### Cleanup Commands:
```sh
rm -f #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #5 - List Google Chrome / Opera Bookmarks on Windows with powershell
Searches for Google Chrome's and Opera's Bookmarks file (on Windows distributions) that contains bookmarks.
Upon execution, paths that contain bookmark files will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** faab755e-4299-48ec-8202-fc7885eb6545
#### Attack Commands: Run with `powershell`!
```powershell
Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force
```
<br/>
<br/>
## Atomic Test #6 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks.
Upon execution, paths that contain bookmark files will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 76f71e2f-480e-4bed-b61e-398fe17499d5
#### Attack Commands: Run with `command_prompt`!
```cmd
where /R C:\Users\ Bookmarks
```
<br/>
<br/>
## Atomic Test #7 - List Mozilla Firefox bookmarks on Windows with command prompt
Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.
Upon execution, paths that contain bookmark files will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 4312cdbc-79fc-4a9c-becc-53d49c734bc5
#### Attack Commands: Run with `command_prompt`!
```cmd
where /R C:\Users\ places.sqlite
```
<br/>
<br/>
## Atomic Test #8 - List Internet Explorer Bookmarks using the command prompt
This test will list the bookmarks for Internet Explorer that are found in the Favorites folder
**Supported Platforms:** Windows
**auto_generated_guid:** 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
#### Attack Commands: Run with `command_prompt`!
```cmd
dir /s /b %USERPROFILE%\Favorites
```
<br/>
<br/>
## Atomic Test #9 - List Safari Bookmarks on MacOS
This test searches for Safari's Bookmarks file (on macOS) and lists any found instances to a text file.
**Supported Platforms:** macOS
**auto_generated_guid:** 5fc528dd-79de-47f5-8188-25572b7fafe0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed. | path | /tmp/T1217-Safari.txt|
#### Attack Commands: Run with `sh`!
```sh
find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```sh
rm -f #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #10 - Extract Edge Browsing History
This test will extract Microsoft Edge browser's history of current user
**Supported Platforms:** Windows
**auto_generated_guid:** 74094120-e1f5-47c9-b162-a418a0f624d5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| history_path | Microsoft Edge browser history file path | String | $Env:LOCALAPPDATA&#92;Microsoft&#92;Edge&#92;User Data&#92;Default&#92;History|
| dest_path | Target file path to where the history to be extracted | String | $Env:USERPROFILE&#92;Downloads&#92;edgebrowsinghistory.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
$History | Out-File -FilePath "#{dest_path}"
```
#### Cleanup Commands:
```powershell
Remove-Item -Path "#{dest_path}"
```
<br/>
<br/>
## Atomic Test #11 - Extract chrome Browsing History
This test will extract browsing history of the chrome user
**Supported Platforms:** Windows
**auto_generated_guid:** cfe6315c-4945-40f7-b5a4-48f7af2262af
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$Username = (whoami).Split('\')[1]
$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
$History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
```
#### Cleanup Commands:
```powershell
Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink