frack113
28 lines
918 B
YAML
28 lines
918 B
YAML
title: Suspicious Where Execution
|
|
id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a
|
|
status: experimental
|
|
description: |
|
|
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
|
|
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
|
|
internal network resources such as servers, tools/dashboards, or other related infrastructure.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
|
|
author: frack113
|
|
date: 2021/12/13
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
where_exe:
|
|
Image|endswith: '\where.exe'
|
|
where_opt:
|
|
CommandLine|contains:
|
|
- 'Bookmarks'
|
|
- 'places.sqlite'
|
|
condition: all of where_*
|
|
falsepositives:
|
|
- unknown
|
|
level: low
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1217 |