Detect Browser Information Discovery in Google Chronicle
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1217 Browser Information Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1217/
YARA-L Detection Query
rule browser_information_discovery_t1217 {
meta:
author = "Detection Engineering"
description = "Detects T1217 Browser Information Discovery: non-browser processes accessing browser credential, history, and session files in known browser profile directories"
technique_id = "T1217"
tactic = "Discovery"
platform = "Windows"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1217/"
version = "1.0"
events:
(
$e.metadata.event_type = "FILE_OPEN" or
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_COPY" or
$e.metadata.event_type = "FILE_MODIFICATION"
)
(
re.regex($e.target.file.full_path, `(?i)\\Google\\Chrome\\User Data\\`) or
re.regex($e.target.file.full_path, `(?i)\\Microsoft\\Edge\\User Data\\`) or
re.regex($e.target.file.full_path, `(?i)\\Mozilla\\Firefox\\Profiles\\`) or
re.regex($e.target.file.full_path, `(?i)\\BraveSoftware\\Brave-Browser\\User Data\\`) or
re.regex($e.target.file.full_path, `(?i)\\Opera Software\\Opera Stable\\`) or
re.regex($e.target.file.full_path, `(?i)\\Vivaldi\\User Data\\`)
)
re.regex($e.target.file.full_path, `(?i)(History|Bookmarks|Login Data|Cookies|Web Data|places\.sqlite|logins\.json|key4\.db|LocalState|Favicons|Visited Links|Extension Cookies|TransportSecurity)`)
not re.regex($e.principal.process.file.full_path, `(?i)(\\chrome\.exe|\\msedge\.exe|\\firefox\.exe|\\brave\.exe|\\opera\.exe|\\chromium\.exe|\\vivaldi\.exe|\\msedgewebview2\.exe|\\MicrosoftEdge\.exe|\\MsMpEng\.exe|\\SearchIndexer\.exe|\\SgrmBroker\.exe|\\CompatTelRunner\.exe|\\TiWorker\.exe)$`)
$e.principal.process.file.full_path != ""
$e.principal.user.userid = $user
$e.principal.hostname = $hostname
match:
$user, $hostname over 1h
outcome:
$risk_score = max(
if(re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$`), 25, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(python3?\.exe|pythonw\.exe)$`), 25, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(7z\.exe|winrar\.exe|zip\.exe|robocopy\.exe|xcopy\.exe|tar\.exe)$`), 25, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)\\(Temp|AppData\\Roaming|Downloads|Public)\\`), 25, 0)
)
$event_count = count_distinct($e.metadata.id)
$target_files = array_distinct($e.target.file.full_path)
$initiating_processes = array_distinct($e.principal.process.file.full_path)
$browser_targets = array_distinct(
if(re.regex($e.target.file.full_path, `(?i)\\Chrome\\`), "Chrome",
if(re.regex($e.target.file.full_path, `(?i)\\Edge\\`), "Edge",
if(re.regex($e.target.file.full_path, `(?i)(Firefox|places\.sqlite|logins\.json|key4\.db)`), "Firefox",
if(re.regex($e.target.file.full_path, `(?i)\\Brave`), "Brave", "Unknown"))))
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1217 Browser Information Discovery by correlating file access events targeting browser credential and history files initiated by non-browser processes. Events are aggregated per user and host over a 1-hour window with risk scoring based on initiating process type. Outcome fields capture distinct target files, initiating processes, and browser targets for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup solutions integrated with Chronicle telemetry (Cohesity, Rubrik, Veeam) that perform file-level backups covering user profile directories — backup agent process names should be added to the exclusion regex after environment-specific validation
- IT provisioning and workstation migration tools that copy or transfer browser profiles during OS refresh, hardware replacement, or domain migration workflows — these generate file copy events across browser data paths at high volume
- Security operations tooling performing automated forensic collection of browser artifacts (KAPE, Velociraptor, OSQuery) as part of incident response playbook execution may trigger this rule during active investigations
Other platforms for T1217
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Copy Chrome History and Bookmarks
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.
- Test 2CMD Directory Enumeration of Firefox Profiles
Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.
- Test 3Python SQLite Query Against Chrome History
Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.
- Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.
- Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data
Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.
References (9)
- https://attack.mitre.org/techniques/T1217/
- https://support.google.com/chrome/a/answer/7349337
- https://www.kaspersky.com/blog/browser-data-theft/27871/
- https://securelist.com/calisto-trojan-for-macos/86543/
- https://www.sentinelone.com/labs/metador-investigating-an-elusive-apt/
- https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.splunk.com/en_us/blog/security/detecting-redline-stealer.html
Unlock Pro Content
Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.