T1217 Microsoft Sentinel · KQL

Detect Browser Information Discovery in Microsoft Sentinel

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1217 Browser Information Discovery
Canonical reference
https://attack.mitre.org/techniques/T1217/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let BrowserDataFiles = dynamic([
  "History", "Bookmarks", "Login Data", "Cookies", "Web Data",
  "places.sqlite", "logins.json", "key4.db", "LocalState",
  "Favicons", "Network Action Predictor", "Visited Links",
  "Extension Cookies", "TransportSecurity", "BookmarksExtended"
]);
let LegitBrowserProcesses = dynamic([
  "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
  "opera.exe", "iexplore.exe", "MicrosoftEdge.exe", "msedgewebview2.exe",
  "chromium.exe", "vivaldi.exe"
]);
let BrowserDataPaths = dynamic([
  "\\Google\\Chrome\\User Data\\",
  "\\Microsoft\\Edge\\User Data\\",
  "\\Mozilla\\Firefox\\Profiles\\",
  "\\BraveSoftware\\Brave-Browser\\User Data\\",
  "\\Opera Software\\Opera Stable\\",
  "\\Vivaldi\\User Data\\"
]);
let NoisySystemProcesses = dynamic([
  "MsMpEng.exe", "SearchIndexer.exe", "SgrmBroker.exe",
  "CompatTelRunner.exe", "TiWorker.exe"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileCopied", "FileCreated", "FileRenamed")
| where FolderPath has_any (BrowserDataPaths)
| where FileName in~ (BrowserDataFiles)
| where not(InitiatingProcessFileName in~ (LegitBrowserProcesses))
| where not(InitiatingProcessFileName in~ (NoisySystemProcesses))
| extend IsScriptEngine = InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend IsArchiver = InitiatingProcessFileName in~ ("7z.exe", "winrar.exe", "zip.exe", "robocopy.exe", "xcopy.exe", "tar.exe")
| extend IsPython = InitiatingProcessFileName in~ ("python.exe", "python3.exe", "pythonw.exe")
| extend IsSuspiciousPath = InitiatingProcessFolderPath has_any ("\\Temp\\", "\\AppData\\Roaming\\", "\\Downloads\\", "\\Public\\")
| extend RiskScore = toint(IsScriptEngine) + toint(IsArchiver) + toint(IsPython) + toint(IsSuspiciousPath)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessFolderPath, InitiatingProcessParentFileName,
          IsScriptEngine, IsArchiver, IsPython, IsSuspiciousPath, RiskScore
| sort by RiskScore desc, Timestamp desc
medium severity medium confidence

Detects non-browser processes reading or copying browser profile data files from known browser data directories. Monitors DeviceFileEvents for access to sensitive browser SQLite databases and JSON files (History, Bookmarks, Login Data, Cookies, places.sqlite, logins.json, key4.db, LocalState) by processes other than legitimate browser executables. Assigns a risk score based on whether the accessing process is a scripting engine, archiver, Python interpreter, or running from a suspicious directory path.

Data Sources

File: File AccessFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives & Tuning

  • Backup software (Veeam, Acronis, Windows Backup) backing up user AppData directories including browser profiles
  • Enterprise endpoint management tools (Tanium, BigFix, SCCM inventory agents) performing asset scans of user profile contents
  • Password managers (1Password, Bitwarden, KeePass import utilities) reading browser data for credential import/migration workflows
  • Browser profile migration or sync tools (e.g., MigrationAssistant, PCmover) during workstation refresh cycles
  • Security tools and DLP agents that scan browser storage as part of data classification or credential exposure monitoring
Download portable Sigma rule (.yml)

Other platforms for T1217

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Copy Chrome History and Bookmarks

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.

  2. Test 2CMD Directory Enumeration of Firefox Profiles

    Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.

  3. Test 3Python SQLite Query Against Chrome History

    Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.

  4. Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.

  5. Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data

    Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1552.001Credentials In FilesT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1082System Information DiscoveryT1033System Owner/User DiscoveryT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1074.001Local Data StagingT1185Browser Session Hijacking

Same Tactic: Discovery

Popular Detections