T1217

Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.

Microsoft Sentinel / Defender

kusto

let BrowserDataFiles = dynamic([
  "History", "Bookmarks", "Login Data", "Cookies", "Web Data",
  "places.sqlite", "logins.json", "key4.db", "LocalState",
  "Favicons", "Network Action Predictor", "Visited Links",
  "Extension Cookies", "TransportSecurity", "BookmarksExtended"
]);
let LegitBrowserProcesses = dynamic([
  "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
  "opera.exe", "iexplore.exe", "MicrosoftEdge.exe", "msedgewebview2.exe",
  "chromium.exe", "vivaldi.exe"
]);
let BrowserDataPaths = dynamic([
  "\\Google\\Chrome\\User Data\\",
  "\\Microsoft\\Edge\\User Data\\",
  "\\Mozilla\\Firefox\\Profiles\\",
  "\\BraveSoftware\\Brave-Browser\\User Data\\",
  "\\Opera Software\\Opera Stable\\",
  "\\Vivaldi\\User Data\\"
]);
let NoisySystemProcesses = dynamic([
  "MsMpEng.exe", "SearchIndexer.exe", "SgrmBroker.exe",
  "CompatTelRunner.exe", "TiWorker.exe"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileCopied", "FileCreated", "FileRenamed")
| where FolderPath has_any (BrowserDataPaths)
| where FileName in~ (BrowserDataFiles)
| where not(InitiatingProcessFileName in~ (LegitBrowserProcesses))
| where not(InitiatingProcessFileName in~ (NoisySystemProcesses))
| extend IsScriptEngine = InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend IsArchiver = InitiatingProcessFileName in~ ("7z.exe", "winrar.exe", "zip.exe", "robocopy.exe", "xcopy.exe", "tar.exe")
| extend IsPython = InitiatingProcessFileName in~ ("python.exe", "python3.exe", "pythonw.exe")
| extend IsSuspiciousPath = InitiatingProcessFolderPath has_any ("\\Temp\\", "\\AppData\\Roaming\\", "\\Downloads\\", "\\Public\\")
| extend RiskScore = toint(IsScriptEngine) + toint(IsArchiver) + toint(IsPython) + toint(IsSuspiciousPath)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessFolderPath, InitiatingProcessParentFileName,
          IsScriptEngine, IsArchiver, IsPython, IsSuspiciousPath, RiskScore
| sort by RiskScore desc, Timestamp desc

medium severity medium confidence

Data Sources

File: File Access File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Backup software (Veeam, Acronis, Windows Backup) backing up user AppData directories including browser profiles
Enterprise endpoint management tools (Tanium, BigFix, SCCM inventory agents) performing asset scans of user profile contents
Password managers (1Password, Bitwarden, KeePass import utilities) reading browser data for credential import/migration workflows
Browser profile migration or sync tools (e.g., MigrationAssistant, PCmover) during workstation refresh cycles
Security tools and DLP agents that scan browser storage as part of data classification or credential exposure monitoring

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (
    TargetFilename="*\\Google\\Chrome\\User Data\\*" OR
    TargetFilename="*\\Microsoft\\Edge\\User Data\\*" OR
    TargetFilename="*\\Mozilla\\Firefox\\Profiles\\*" OR
    TargetFilename="*\\BraveSoftware\\Brave-Browser\\User Data\\*" OR
    TargetFilename="*\\Opera Software\\Opera Stable\\*"
  )
  (
    TargetFilename="*History*" OR TargetFilename="*Bookmarks*" OR
    TargetFilename="*Login Data*" OR TargetFilename="*Cookies*" OR
    TargetFilename="*places.sqlite*" OR TargetFilename="*logins.json*" OR
    TargetFilename="*key4.db*" OR TargetFilename="*LocalState*" OR
    TargetFilename="*Web Data*" OR TargetFilename="*Favicons*"
  )
  NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
    OR Image="*\\brave.exe" OR Image="*\\chromium.exe" OR Image="*\\vivaldi.exe"
    OR Image="*\\MsMpEng.exe" OR Image="*\\SearchIndexer.exe"
    OR Image="*\\msedgewebview2.exe")
| eval IsScriptEngine=if(match(Image, "(?i)(powershell|pwsh|cmd|wscript|cscript|mshta)"), 1, 0)
| eval IsPython=if(match(Image, "(?i)(python[23]?\.exe|pythonw\.exe)"), 1, 0)
| eval IsArchiver=if(match(Image, "(?i)(7z|winrar|zip|robocopy|xcopy|tar)"), 1, 0)
| eval IsSuspiciousPath=if(match(Image, "(?i)(\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\downloads\\\\|\\\\public\\\\)"), 1, 0)
| eval RiskScore=IsScriptEngine + IsPython + IsArchiver + IsSuspiciousPath
| eval BrowserType=case(
    match(TargetFilename, "(?i)chrome"), "Chrome",
    match(TargetFilename, "(?i)edge"), "Edge",
    match(TargetFilename, "(?i)firefox|places|logins|key4"), "Firefox",
    match(TargetFilename, "(?i)brave"), "Brave",
    1=1, "Unknown"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, BrowserType,
        IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore
| sort - RiskScore - _time

medium severity medium confidence

Data Sources

File: File Creation File: File Modification Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software (Veeam, Acronis, Windows Backup) backing up user AppData directories including browser profiles
Enterprise endpoint management tools (Tanium, BigFix, SCCM inventory agents) performing asset scans of user profile contents
Password managers (1Password, Bitwarden, KeePass import utilities) reading browser data for credential import/migration workflows
Browser profile migration or sync tools (e.g., MigrationAssistant, PCmover) during workstation refresh cycles
Security tools and DLP agents that scan browser storage as part of data classification or credential exposure monitoring

Elastic Security (EQL)

eql

file where event.category == "file" and
  event.action in ("creation", "modification", "access") and
  (
    file.path like~ "*\\Google\\Chrome\\User Data\\*" or
    file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
    file.path like~ "*\\Mozilla\\Firefox\\Profiles\\*" or
    file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*" or
    file.path like~ "*\\Opera Software\\Opera Stable\\*" or
    file.path like~ "*\\Vivaldi\\User Data\\*"
  ) and
  file.name in~ (
    "History", "Bookmarks", "Login Data", "Cookies", "Web Data",
    "places.sqlite", "logins.json", "key4.db", "LocalState",
    "Favicons", "Network Action Predictor", "Visited Links",
    "Extension Cookies", "TransportSecurity"
  ) and
  not process.name in~ (
    "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
    "opera.exe", "iexplore.exe", "MicrosoftEdge.exe", "msedgewebview2.exe",
    "chromium.exe", "vivaldi.exe", "MsMpEng.exe", "SearchIndexer.exe",
    "SgrmBroker.exe", "CompatTelRunner.exe", "TiWorker.exe"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.file-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Enterprise backup software (Veeam, Acronis, Commvault) performing file-level backups of user profile directories during scheduled backup windows — these agents legitimately read browser data files at the OS level
IT asset management and software inventory tools (SCCM inventory, Tanium, Nexthink) scanning user profile directories to enumerate installed browser versions, cached credentials indicators, or extension lists
Antivirus or EDR products other than Windows Defender performing full-system scan routines may open browser data files for malware signature scanning — particularly third-party AV engines running as non-browser process names
Password manager desktop applications (KeePass, 1Password, Bitwarden) that provide browser credential import functionality by reading browser Login Data SQLite files at user request
Browser profile migration or synchronization utilities used during OS refresh or workstation provisioning workflows that copy entire profile directories

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  sourceip AS SourceIP,
  username AS Username,
  "Machine Identifier" AS Hostname,
  "Process Name" AS ProcessName,
  "Process Path" AS ProcessPath,
  "Command Line" AS CommandLine,
  "Target Filename" AS TargetFilename,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Process Name") MATCHES '(?i)(powershell|pwsh|cmd|wscript|cscript|mshta)' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Process Name") MATCHES '(?i)(python3?\.exe|pythonw\.exe)' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Process Name") MATCHES '(?i)(7z|winrar|zip|robocopy|xcopy|tar)\.exe' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Process Path") MATCHES '(?i)(\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\downloads\\\\|\\\\public\\\\)' THEN 1
    ELSE 0
  END AS RiskScore,
  CASE
    WHEN LOWER("Target Filename") LIKE '%\\google\\chrome\\%' THEN 'Chrome'
    WHEN LOWER("Target Filename") LIKE '%\\microsoft\\edge\\%' THEN 'Edge'
    WHEN LOWER("Target Filename") LIKE '%\\mozilla\\firefox\\%' THEN 'Firefox'
    WHEN LOWER("Target Filename") LIKE '%places.sqlite%' THEN 'Firefox'
    WHEN LOWER("Target Filename") LIKE '%logins.json%' THEN 'Firefox'
    WHEN LOWER("Target Filename") LIKE '%key4.db%' THEN 'Firefox'
    WHEN LOWER("Target Filename") LIKE '%\\bravesoftware\\%' THEN 'Brave'
    WHEN LOWER("Target Filename") LIKE '%\\vivaldi\\%' THEN 'Vivaldi'
    ELSE 'Unknown'
  END AS BrowserTarget
FROM events
WHERE
  "EventID" = '11'
  AND (
    LOWER("Target Filename") LIKE '%\\google\\chrome\\user data\\%'
    OR LOWER("Target Filename") LIKE '%\\microsoft\\edge\\user data\\%'
    OR LOWER("Target Filename") LIKE '%\\mozilla\\firefox\\profiles\\%'
    OR LOWER("Target Filename") LIKE '%\\bravesoftware\\brave-browser\\user data\\%'
    OR LOWER("Target Filename") LIKE '%\\opera software\\opera stable\\%'
    OR LOWER("Target Filename") LIKE '%\\vivaldi\\user data\\%'
  )
  AND (
    LOWER("Target Filename") LIKE '%history%'
    OR LOWER("Target Filename") LIKE '%bookmarks%'
    OR LOWER("Target Filename") LIKE '%login data%'
    OR LOWER("Target Filename") LIKE '%cookies%'
    OR LOWER("Target Filename") LIKE '%web data%'
    OR LOWER("Target Filename") LIKE '%places.sqlite%'
    OR LOWER("Target Filename") LIKE '%logins.json%'
    OR LOWER("Target Filename") LIKE '%key4.db%'
    OR LOWER("Target Filename") LIKE '%localstate%'
    OR LOWER("Target Filename") LIKE '%favicons%'
  )
  AND NOT (
    LOWER("Process Name") LIKE '%chrome.exe'
    OR LOWER("Process Name") LIKE '%msedge.exe'
    OR LOWER("Process Name") LIKE '%firefox.exe'
    OR LOWER("Process Name") LIKE '%brave.exe'
    OR LOWER("Process Name") LIKE '%chromium.exe'
    OR LOWER("Process Name") LIKE '%vivaldi.exe'
    OR LOWER("Process Name") LIKE '%opera.exe'
    OR LOWER("Process Name") LIKE '%msedgewebview2.exe'
    OR LOWER("Process Name") LIKE '%msmpeeng.exe'
    OR LOWER("Process Name") LIKE '%searchindexer.exe'
    OR LOWER("Process Name") LIKE '%sgrmbroker.exe'
    OR LOWER("Process Name") LIKE '%compattelrunner.exe'
    OR LOWER("Process Name") LIKE '%tiworker.exe'
  )
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via QRadar Sysmon DSM QRadar WinCollect agent with Sysmon event forwarding Windows Security Event Log

Required Tables

events (QRadar)

False Positives

Enterprise backup agents (Commvault, NetBackup, Veeam) that include user profile directories in backup job definitions generate high-volume false positives during scheduled backup windows — whitelist backup agent process names after validation
System profiling and software inventory tools deployed by IT operations that enumerate installed browser versions, profile locations, and extension manifests as part of asset inventory collection
Developer tools and IDE extensions that integrate with browser profiles for automated testing workflows, particularly Selenium/WebDriver-adjacent tooling that reads or writes Chrome/Firefox profiles

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*winlogbeat* OR _sourceCategory=*microsoft*windows*sysmon*)
| where EventID = "11"
| where TargetFilename matches "*\\Google\\Chrome\\User Data\\*"
  OR TargetFilename matches "*\\Microsoft\\Edge\\User Data\\*"
  OR TargetFilename matches "*\\Mozilla\\Firefox\\Profiles\\*"
  OR TargetFilename matches "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
  OR TargetFilename matches "*\\Opera Software\\Opera Stable\\*"
  OR TargetFilename matches "*\\Vivaldi\\User Data\\*"
| where TargetFilename matches "*History*"
  OR TargetFilename matches "*Bookmarks*"
  OR TargetFilename matches "*Login Data*"
  OR TargetFilename matches "*Cookies*"
  OR TargetFilename matches "*Web Data*"
  OR TargetFilename matches "*places.sqlite*"
  OR TargetFilename matches "*logins.json*"
  OR TargetFilename matches "*key4.db*"
  OR TargetFilename matches "*LocalState*"
  OR TargetFilename matches "*Favicons*"
| where !(Image matches "*\\chrome.exe"
  OR Image matches "*\\msedge.exe"
  OR Image matches "*\\firefox.exe"
  OR Image matches "*\\brave.exe"
  OR Image matches "*\\chromium.exe"
  OR Image matches "*\\vivaldi.exe"
  OR Image matches "*\\opera.exe"
  OR Image matches "*\\msedgewebview2.exe"
  OR Image matches "*\\MicrosoftEdge.exe"
  OR Image matches "*\\MsMpEng.exe"
  OR Image matches "*\\SearchIndexer.exe"
  OR Image matches "*\\SgrmBroker.exe"
  OR Image matches "*\\CompatTelRunner.exe"
  OR Image matches "*\\TiWorker.exe")
| if (Image matches "*powershell*" OR Image matches "*pwsh.exe" OR Image matches "*cmd.exe" OR Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe", 1, 0) as IsScriptEngine
| if (Image matches "*python3.exe" OR Image matches "*python.exe" OR Image matches "*pythonw.exe", 1, 0) as IsPython
| if (Image matches "*7z.exe" OR Image matches "*winrar.exe" OR Image matches "*robocopy.exe" OR Image matches "*xcopy.exe" OR Image matches "*tar.exe", 1, 0) as IsArchiver
| if (Image matches "*\\Temp\\*" OR Image matches "*\\AppData\\Roaming\\*" OR Image matches "*\\Downloads\\*" OR Image matches "*\\Public\\*", 1, 0) as IsSuspiciousPath
| IsScriptEngine + IsPython + IsArchiver + IsSuspiciousPath as RiskScore
| if (TargetFilename matches "*Chrome*" OR TargetFilename matches "*chrome*", "Chrome",
    if (TargetFilename matches "*Edge*" OR TargetFilename matches "*edge*", "Edge",
    if (TargetFilename matches "*Firefox*" OR TargetFilename matches "*firefox*"
        OR TargetFilename matches "*places.sqlite*"
        OR TargetFilename matches "*logins.json*"
        OR TargetFilename matches "*key4.db*", "Firefox",
    if (TargetFilename matches "*Brave*" OR TargetFilename matches "*brave*", "Brave",
    if (TargetFilename matches "*Vivaldi*", "Vivaldi", "Unknown"))))) as BrowserTarget
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, BrowserTarget, IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore
| sort by RiskScore, _messageTime

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Sumo Logic Windows Event Log source forwarding Sysmon/Operational channel Sumo Logic OpenTelemetry collector with Windows Events receiver

Required Tables

Sysmon EventID 11 logs ingested via Sumo Logic collector

False Positives

Sumo Logic's own Installed Collector agent or other log aggregation agents (Splunk UF, NXLog, Winlogbeat) may briefly access filesystem paths during log source configuration validation or broad file monitoring rule evaluation
Corporate data loss prevention (DLP) solutions (Symantec DLP, Forcepoint) performing content inspection of browser storage files to enforce policy against sensitive data caching in browsers
Endpoint detection and response platforms performing scheduled baseline snapshots or continuous file integrity monitoring of browser profile directories as part of their threat detection engine

Google Chronicle / SecOps

yaral

rule browser_information_discovery_t1217 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1217 Browser Information Discovery: non-browser processes accessing browser credential, history, and session files in known browser profile directories"
    technique_id = "T1217"
    tactic = "Discovery"
    platform = "Windows"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1217/"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "FILE_OPEN" or
      $e.metadata.event_type = "FILE_CREATION" or
      $e.metadata.event_type = "FILE_COPY" or
      $e.metadata.event_type = "FILE_MODIFICATION"
    )

    (
      re.regex($e.target.file.full_path, `(?i)\\Google\\Chrome\\User Data\\`) or
      re.regex($e.target.file.full_path, `(?i)\\Microsoft\\Edge\\User Data\\`) or
      re.regex($e.target.file.full_path, `(?i)\\Mozilla\\Firefox\\Profiles\\`) or
      re.regex($e.target.file.full_path, `(?i)\\BraveSoftware\\Brave-Browser\\User Data\\`) or
      re.regex($e.target.file.full_path, `(?i)\\Opera Software\\Opera Stable\\`) or
      re.regex($e.target.file.full_path, `(?i)\\Vivaldi\\User Data\\`)
    )

    re.regex($e.target.file.full_path, `(?i)(History|Bookmarks|Login Data|Cookies|Web Data|places\.sqlite|logins\.json|key4\.db|LocalState|Favicons|Visited Links|Extension Cookies|TransportSecurity)`)

    not re.regex($e.principal.process.file.full_path, `(?i)(\\chrome\.exe|\\msedge\.exe|\\firefox\.exe|\\brave\.exe|\\opera\.exe|\\chromium\.exe|\\vivaldi\.exe|\\msedgewebview2\.exe|\\MicrosoftEdge\.exe|\\MsMpEng\.exe|\\SearchIndexer\.exe|\\SgrmBroker\.exe|\\CompatTelRunner\.exe|\\TiWorker\.exe)$`)

    $e.principal.process.file.full_path != ""
    $e.principal.user.userid = $user
    $e.principal.hostname = $hostname

  match:
    $user, $hostname over 1h

  outcome:
    $risk_score = max(
      if(re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$`), 25, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(python3?\.exe|pythonw\.exe)$`), 25, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(7z\.exe|winrar\.exe|zip\.exe|robocopy\.exe|xcopy\.exe|tar\.exe)$`), 25, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)\\(Temp|AppData\\Roaming|Downloads|Public)\\`), 25, 0)
    )
    $event_count = count_distinct($e.metadata.id)
    $target_files = array_distinct($e.target.file.full_path)
    $initiating_processes = array_distinct($e.principal.process.file.full_path)
    $browser_targets = array_distinct(
      if(re.regex($e.target.file.full_path, `(?i)\\Chrome\\`), "Chrome",
      if(re.regex($e.target.file.full_path, `(?i)\\Edge\\`), "Edge",
      if(re.regex($e.target.file.full_path, `(?i)(Firefox|places\.sqlite|logins\.json|key4\.db)`), "Firefox",
      if(re.regex($e.target.file.full_path, `(?i)\\Brave`), "Brave", "Unknown"))))
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle SIEM with Endpoint Detection telemetry Windows Sysmon forwarded via Chronicle Forwarder (BindPlane) CrowdStrike Falcon via Chronicle SIEM integration Microsoft Defender for Endpoint via Chronicle MDET integration Carbon Black Cloud via Chronicle integration

Required Tables

UDM events with FILE_OPEN, FILE_CREATION, FILE_COPY, FILE_MODIFICATION event types ingested with principal.process and target.file fields populated

False Positives

Enterprise backup solutions integrated with Chronicle telemetry (Cohesity, Rubrik, Veeam) that perform file-level backups covering user profile directories — backup agent process names should be added to the exclusion regex after environment-specific validation
IT provisioning and workstation migration tools that copy or transfer browser profiles during OS refresh, hardware replacement, or domain migration workflows — these generate file copy events across browser data paths at high volume
Security operations tooling performing automated forensic collection of browser artifacts (KAPE, Velociraptor, OSQuery) as part of incident response playbook execution may trigger this rule during active investigations

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(FileOpenInfo|PeFileWritten|FileWritten|SyntheticProcessRollup2)$/
| TargetFileName = /\\(Google\\Chrome\\User Data|Microsoft\\Edge\\User Data|Mozilla\\Firefox\\Profiles|BraveSoftware\\Brave-Browser\\User Data|Opera Software\\Opera Stable|Vivaldi\\User Data)\\/i
| TargetFileName = /(\\|\/)(History|Bookmarks|Login Data|Cookies|Web Data|places\.sqlite|logins\.json|key4\.db|LocalState|Favicons|Visited Links|Extension Cookies|TransportSecurity)(\x00|$)/i
| ImageFileName != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|brave\.exe|chromium\.exe|vivaldi\.exe|opera\.exe|msedgewebview2\.exe|MicrosoftEdge\.exe|MsMpEng\.exe|SearchIndexer\.exe|SgrmBroker\.exe|CompatTelRunner\.exe|TiWorker\.exe)$/
| IsScriptEngine := if(ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$/, "true", "false")
| IsPython := if(ImageFileName = /(?i)(python3?\.exe|pythonw\.exe)$/, "true", "false")
| IsArchiver := if(ImageFileName = /(?i)(7z\.exe|winrar\.exe|zip\.exe|robocopy\.exe|xcopy\.exe|tar\.exe)$/, "true", "false")
| IsSuspiciousPath := if(ImageFileName = /(?i)\\(Temp|AppData\\Roaming|Downloads|Public)\\/, "true", "false")
| RiskScore := if(IsScriptEngine = "true", 1, 0) + if(IsPython = "true", 1, 0) + if(IsArchiver = "true", 1, 0) + if(IsSuspiciousPath = "true", 1, 0)
| BrowserTarget := case {
    TargetFileName = /(?i)\\Chrome\\/, "Chrome" ;
    TargetFileName = /(?i)\\Edge\\/, "Edge" ;
    TargetFileName = /(?i)(\\Firefox\\|places\.sqlite|logins\.json|key4\.db)/, "Firefox" ;
    TargetFileName = /(?i)\\Brave/, "Brave" ;
    TargetFileName = /(?i)\\Vivaldi\\/, "Vivaldi" ;
    * => "Unknown"
  }
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, BrowserTarget, IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent with file telemetry enabled Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio/LogScale SIEM

Required Tables

FileOpenInfo Falcon events FileWritten Falcon events PeFileWritten Falcon events

False Positives

CrowdStrike Falcon sensor processes (CSFalconService, CSFalconContainer) may generate file telemetry against browser profile paths during behavioral analysis routines or artifact collection as part of their own threat detection engine — these are typically filtered by the sensor but can surface in raw FDR data
Endpoint management and UEM platforms (Microsoft Intune, Jamf, Tanium) running management agents that perform periodic software inventory or compliance scanning may access browser profile directories to enumerate browser version, extension state, and security posture
User-initiated third-party browser profile synchronization or backup utilities (browser export tools, profile managers) running as scheduled tasks under a non-browser process name that copies or archives browser data to local or network destinations

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Browser Information Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections