T1217 CrowdStrike LogScale · LogScale

Detect Browser Information Discovery in CrowdStrike LogScale

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1217 Browser Information Discovery
Canonical reference
https://attack.mitre.org/techniques/T1217/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /^(FileOpenInfo|PeFileWritten|FileWritten|SyntheticProcessRollup2)$/
| TargetFileName = /\\(Google\\Chrome\\User Data|Microsoft\\Edge\\User Data|Mozilla\\Firefox\\Profiles|BraveSoftware\\Brave-Browser\\User Data|Opera Software\\Opera Stable|Vivaldi\\User Data)\\/i
| TargetFileName = /(\\|\/)(History|Bookmarks|Login Data|Cookies|Web Data|places\.sqlite|logins\.json|key4\.db|LocalState|Favicons|Visited Links|Extension Cookies|TransportSecurity)(\x00|$)/i
| ImageFileName != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|brave\.exe|chromium\.exe|vivaldi\.exe|opera\.exe|msedgewebview2\.exe|MicrosoftEdge\.exe|MsMpEng\.exe|SearchIndexer\.exe|SgrmBroker\.exe|CompatTelRunner\.exe|TiWorker\.exe)$/
| IsScriptEngine := if(ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)$/, "true", "false")
| IsPython := if(ImageFileName = /(?i)(python3?\.exe|pythonw\.exe)$/, "true", "false")
| IsArchiver := if(ImageFileName = /(?i)(7z\.exe|winrar\.exe|zip\.exe|robocopy\.exe|xcopy\.exe|tar\.exe)$/, "true", "false")
| IsSuspiciousPath := if(ImageFileName = /(?i)\\(Temp|AppData\\Roaming|Downloads|Public)\\/, "true", "false")
| RiskScore := if(IsScriptEngine = "true", 1, 0) + if(IsPython = "true", 1, 0) + if(IsArchiver = "true", 1, 0) + if(IsSuspiciousPath = "true", 1, 0)
| BrowserTarget := case {
    TargetFileName = /(?i)\\Chrome\\/, "Chrome" ;
    TargetFileName = /(?i)\\Edge\\/, "Edge" ;
    TargetFileName = /(?i)(\\Firefox\\|places\.sqlite|logins\.json|key4\.db)/, "Firefox" ;
    TargetFileName = /(?i)\\Brave/, "Brave" ;
    TargetFileName = /(?i)\\Vivaldi\\/, "Vivaldi" ;
    * => "Unknown"
  }
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, BrowserTarget, IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore])
| sort(RiskScore, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) CQL query detecting T1217 Browser Information Discovery using Falcon file telemetry events (FileOpenInfo, FileWritten). Filters for non-browser processes accessing browser credential, history, and session files across all major browser profile paths. Applies risk scoring based on initiating process classification and path characteristics. Requires Falcon Prevent or Falcon Insight with file write telemetry enabled.

Data Sources

CrowdStrike Falcon Endpoint Agent with file telemetry enabledFalcon Data Replicator (FDR) streaming to LogScaleCrowdStrike Humio/LogScale SIEM

Required Tables

FileOpenInfo Falcon eventsFileWritten Falcon eventsPeFileWritten Falcon events

False Positives & Tuning

  • CrowdStrike Falcon sensor processes (CSFalconService, CSFalconContainer) may generate file telemetry against browser profile paths during behavioral analysis routines or artifact collection as part of their own threat detection engine — these are typically filtered by the sensor but can surface in raw FDR data
  • Endpoint management and UEM platforms (Microsoft Intune, Jamf, Tanium) running management agents that perform periodic software inventory or compliance scanning may access browser profile directories to enumerate browser version, extension state, and security posture
  • User-initiated third-party browser profile synchronization or backup utilities (browser export tools, profile managers) running as scheduled tasks under a non-browser process name that copies or archives browser data to local or network destinations
Download portable Sigma rule (.yml)

Other platforms for T1217

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Copy Chrome History and Bookmarks

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.

  2. Test 2CMD Directory Enumeration of Firefox Profiles

    Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.

  3. Test 3Python SQLite Query Against Chrome History

    Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.

  4. Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.

  5. Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data

    Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1552.001Credentials In FilesT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1082System Information DiscoveryT1033System Owner/User DiscoveryT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1074.001Local Data StagingT1185Browser Session Hijacking

Same Tactic: Discovery

Popular Detections