Detect Browser Information Discovery in IBM QRadar
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1217 Browser Information Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1217/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
sourceip AS SourceIP,
username AS Username,
"Machine Identifier" AS Hostname,
"Process Name" AS ProcessName,
"Process Path" AS ProcessPath,
"Command Line" AS CommandLine,
"Target Filename" AS TargetFilename,
QIDNAME(qid) AS EventName,
CASE
WHEN LOWER("Process Name") MATCHES '(?i)(powershell|pwsh|cmd|wscript|cscript|mshta)' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Process Name") MATCHES '(?i)(python3?\.exe|pythonw\.exe)' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Process Name") MATCHES '(?i)(7z|winrar|zip|robocopy|xcopy|tar)\.exe' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Process Path") MATCHES '(?i)(\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\downloads\\\\|\\\\public\\\\)' THEN 1
ELSE 0
END AS RiskScore,
CASE
WHEN LOWER("Target Filename") LIKE '%\\google\\chrome\\%' THEN 'Chrome'
WHEN LOWER("Target Filename") LIKE '%\\microsoft\\edge\\%' THEN 'Edge'
WHEN LOWER("Target Filename") LIKE '%\\mozilla\\firefox\\%' THEN 'Firefox'
WHEN LOWER("Target Filename") LIKE '%places.sqlite%' THEN 'Firefox'
WHEN LOWER("Target Filename") LIKE '%logins.json%' THEN 'Firefox'
WHEN LOWER("Target Filename") LIKE '%key4.db%' THEN 'Firefox'
WHEN LOWER("Target Filename") LIKE '%\\bravesoftware\\%' THEN 'Brave'
WHEN LOWER("Target Filename") LIKE '%\\vivaldi\\%' THEN 'Vivaldi'
ELSE 'Unknown'
END AS BrowserTarget
FROM events
WHERE
"EventID" = '11'
AND (
LOWER("Target Filename") LIKE '%\\google\\chrome\\user data\\%'
OR LOWER("Target Filename") LIKE '%\\microsoft\\edge\\user data\\%'
OR LOWER("Target Filename") LIKE '%\\mozilla\\firefox\\profiles\\%'
OR LOWER("Target Filename") LIKE '%\\bravesoftware\\brave-browser\\user data\\%'
OR LOWER("Target Filename") LIKE '%\\opera software\\opera stable\\%'
OR LOWER("Target Filename") LIKE '%\\vivaldi\\user data\\%'
)
AND (
LOWER("Target Filename") LIKE '%history%'
OR LOWER("Target Filename") LIKE '%bookmarks%'
OR LOWER("Target Filename") LIKE '%login data%'
OR LOWER("Target Filename") LIKE '%cookies%'
OR LOWER("Target Filename") LIKE '%web data%'
OR LOWER("Target Filename") LIKE '%places.sqlite%'
OR LOWER("Target Filename") LIKE '%logins.json%'
OR LOWER("Target Filename") LIKE '%key4.db%'
OR LOWER("Target Filename") LIKE '%localstate%'
OR LOWER("Target Filename") LIKE '%favicons%'
)
AND NOT (
LOWER("Process Name") LIKE '%chrome.exe'
OR LOWER("Process Name") LIKE '%msedge.exe'
OR LOWER("Process Name") LIKE '%firefox.exe'
OR LOWER("Process Name") LIKE '%brave.exe'
OR LOWER("Process Name") LIKE '%chromium.exe'
OR LOWER("Process Name") LIKE '%vivaldi.exe'
OR LOWER("Process Name") LIKE '%opera.exe'
OR LOWER("Process Name") LIKE '%msedgewebview2.exe'
OR LOWER("Process Name") LIKE '%msmpeeng.exe'
OR LOWER("Process Name") LIKE '%searchindexer.exe'
OR LOWER("Process Name") LIKE '%sgrmbroker.exe'
OR LOWER("Process Name") LIKE '%compattelrunner.exe'
OR LOWER("Process Name") LIKE '%tiworker.exe'
)
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESCQRadar AQL query detecting T1217 Browser Information Discovery using Sysmon EventID 11 (File Create) events. Identifies non-browser processes writing to or creating files within browser profile directories containing credential and history data. Includes risk scoring based on initiating process type and path characteristics. Requires Sysmon DSM custom properties for Target Filename, Process Name, and Command Line to be configured.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup agents (Commvault, NetBackup, Veeam) that include user profile directories in backup job definitions generate high-volume false positives during scheduled backup windows — whitelist backup agent process names after validation
- System profiling and software inventory tools deployed by IT operations that enumerate installed browser versions, profile locations, and extension manifests as part of asset inventory collection
- Developer tools and IDE extensions that integrate with browser profiles for automated testing workflows, particularly Selenium/WebDriver-adjacent tooling that reads or writes Chrome/Firefox profiles
Other platforms for T1217
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Copy Chrome History and Bookmarks
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.
- Test 2CMD Directory Enumeration of Firefox Profiles
Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.
- Test 3Python SQLite Query Against Chrome History
Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.
- Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.
- Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data
Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.
References (9)
- https://attack.mitre.org/techniques/T1217/
- https://support.google.com/chrome/a/answer/7349337
- https://www.kaspersky.com/blog/browser-data-theft/27871/
- https://securelist.com/calisto-trojan-for-macos/86543/
- https://www.sentinelone.com/labs/metador-investigating-an-elusive-apt/
- https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.splunk.com/en_us/blog/security/detecting-redline-stealer.html
Unlock Pro Content
Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.