T1217 Elastic Security · Elastic

Detect Browser Information Discovery in Elastic Security

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1217 Browser Information Discovery
Canonical reference
https://attack.mitre.org/techniques/T1217/

Elastic Detection Query

Elastic Security (Elastic)
eql 
file where event.category == "file" and
  event.action in ("creation", "modification", "access") and
  (
    file.path like~ "*\\Google\\Chrome\\User Data\\*" or
    file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
    file.path like~ "*\\Mozilla\\Firefox\\Profiles\\*" or
    file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*" or
    file.path like~ "*\\Opera Software\\Opera Stable\\*" or
    file.path like~ "*\\Vivaldi\\User Data\\*"
  ) and
  file.name in~ (
    "History", "Bookmarks", "Login Data", "Cookies", "Web Data",
    "places.sqlite", "logins.json", "key4.db", "LocalState",
    "Favicons", "Network Action Predictor", "Visited Links",
    "Extension Cookies", "TransportSecurity"
  ) and
  not process.name in~ (
    "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
    "opera.exe", "iexplore.exe", "MicrosoftEdge.exe", "msedgewebview2.exe",
    "chromium.exe", "vivaldi.exe", "MsMpEng.exe", "SearchIndexer.exe",
    "SgrmBroker.exe", "CompatTelRunner.exe", "TiWorker.exe"
  )
high severity high confidence

Detects T1217 Browser Information Discovery by identifying non-browser processes performing file creation, modification, or access events against browser credential, history, and session files within known browser profile directories on Windows endpoints. Excludes legitimate browser and Windows noise processes.

Data Sources

Elastic Endpoint Security agentWinlogbeat with Sysmon moduleElastic Agent with Windows integration

Required Tables

logs-endpoint.events.file-*winlogbeat-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Enterprise backup software (Veeam, Acronis, Commvault) performing file-level backups of user profile directories during scheduled backup windows — these agents legitimately read browser data files at the OS level
  • IT asset management and software inventory tools (SCCM inventory, Tanium, Nexthink) scanning user profile directories to enumerate installed browser versions, cached credentials indicators, or extension lists
  • Antivirus or EDR products other than Windows Defender performing full-system scan routines may open browser data files for malware signature scanning — particularly third-party AV engines running as non-browser process names
  • Password manager desktop applications (KeePass, 1Password, Bitwarden) that provide browser credential import functionality by reading browser Login Data SQLite files at user request
  • Browser profile migration or synchronization utilities used during OS refresh or workstation provisioning workflows that copy entire profile directories
Download portable Sigma rule (.yml)

Other platforms for T1217

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Copy Chrome History and Bookmarks

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.

  2. Test 2CMD Directory Enumeration of Firefox Profiles

    Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.

  3. Test 3Python SQLite Query Against Chrome History

    Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.

  4. Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.

  5. Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data

    Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1552.001Credentials In FilesT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1082System Information DiscoveryT1033System Owner/User DiscoveryT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1074.001Local Data StagingT1185Browser Session Hijacking

Same Tactic: Discovery

Popular Detections