T1217 Splunk · SPL

Detect Browser Information Discovery in Splunk

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.

MITRE ATT&CK

Tactic
Discovery
Technique
T1217 Browser Information Discovery
Canonical reference
https://attack.mitre.org/techniques/T1217/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (
    TargetFilename="*\\Google\\Chrome\\User Data\\*" OR
    TargetFilename="*\\Microsoft\\Edge\\User Data\\*" OR
    TargetFilename="*\\Mozilla\\Firefox\\Profiles\\*" OR
    TargetFilename="*\\BraveSoftware\\Brave-Browser\\User Data\\*" OR
    TargetFilename="*\\Opera Software\\Opera Stable\\*"
  )
  (
    TargetFilename="*History*" OR TargetFilename="*Bookmarks*" OR
    TargetFilename="*Login Data*" OR TargetFilename="*Cookies*" OR
    TargetFilename="*places.sqlite*" OR TargetFilename="*logins.json*" OR
    TargetFilename="*key4.db*" OR TargetFilename="*LocalState*" OR
    TargetFilename="*Web Data*" OR TargetFilename="*Favicons*"
  )
  NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
    OR Image="*\\brave.exe" OR Image="*\\chromium.exe" OR Image="*\\vivaldi.exe"
    OR Image="*\\MsMpEng.exe" OR Image="*\\SearchIndexer.exe"
    OR Image="*\\msedgewebview2.exe")
| eval IsScriptEngine=if(match(Image, "(?i)(powershell|pwsh|cmd|wscript|cscript|mshta)"), 1, 0)
| eval IsPython=if(match(Image, "(?i)(python[23]?\.exe|pythonw\.exe)"), 1, 0)
| eval IsArchiver=if(match(Image, "(?i)(7z|winrar|zip|robocopy|xcopy|tar)"), 1, 0)
| eval IsSuspiciousPath=if(match(Image, "(?i)(\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\downloads\\\\|\\\\public\\\\)"), 1, 0)
| eval RiskScore=IsScriptEngine + IsPython + IsArchiver + IsSuspiciousPath
| eval BrowserType=case(
    match(TargetFilename, "(?i)chrome"), "Chrome",
    match(TargetFilename, "(?i)edge"), "Edge",
    match(TargetFilename, "(?i)firefox|places|logins|key4"), "Firefox",
    match(TargetFilename, "(?i)brave"), "Brave",
    1=1, "Unknown"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, BrowserType,
        IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore
| sort - RiskScore - _time
medium severity medium confidence

Detects non-browser processes creating or copying browser profile data files using Sysmon Event ID 11 (File Create). Monitors for access to sensitive browser files across Chrome, Edge, Firefox, Brave, and Opera profile directories. Evaluates each event with risk scoring based on accessing process characteristics: scripting engines (PowerShell, WScript), Python interpreters, archive/copy tools, and processes running from suspicious directory paths. Higher risk scores warrant immediate investigation.

Data Sources

File: File CreationFile: File ModificationSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup software (Veeam, Acronis, Windows Backup) backing up user AppData directories including browser profiles
  • Enterprise endpoint management tools (Tanium, BigFix, SCCM inventory agents) performing asset scans of user profile contents
  • Password managers (1Password, Bitwarden, KeePass import utilities) reading browser data for credential import/migration workflows
  • Browser profile migration or sync tools (e.g., MigrationAssistant, PCmover) during workstation refresh cycles
  • Security tools and DLP agents that scan browser storage as part of data classification or credential exposure monitoring
Download portable Sigma rule (.yml)

Other platforms for T1217

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Copy Chrome History and Bookmarks

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.

  2. Test 2CMD Directory Enumeration of Firefox Profiles

    Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.

  3. Test 3Python SQLite Query Against Chrome History

    Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.

  4. Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery

    Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.

  5. Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data

    Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1552.001Credentials In FilesT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1082System Information DiscoveryT1033System Owner/User DiscoveryT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1074.001Local Data StagingT1185Browser Session Hijacking

Same Tactic: Discovery

Popular Detections