Detect Browser Information Discovery in Sumo Logic CSE
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1217 Browser Information Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1217/
Sumo Detection Query
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*winlogbeat* OR _sourceCategory=*microsoft*windows*sysmon*)
| where EventID = "11"
| where TargetFilename matches "*\\Google\\Chrome\\User Data\\*"
OR TargetFilename matches "*\\Microsoft\\Edge\\User Data\\*"
OR TargetFilename matches "*\\Mozilla\\Firefox\\Profiles\\*"
OR TargetFilename matches "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
OR TargetFilename matches "*\\Opera Software\\Opera Stable\\*"
OR TargetFilename matches "*\\Vivaldi\\User Data\\*"
| where TargetFilename matches "*History*"
OR TargetFilename matches "*Bookmarks*"
OR TargetFilename matches "*Login Data*"
OR TargetFilename matches "*Cookies*"
OR TargetFilename matches "*Web Data*"
OR TargetFilename matches "*places.sqlite*"
OR TargetFilename matches "*logins.json*"
OR TargetFilename matches "*key4.db*"
OR TargetFilename matches "*LocalState*"
OR TargetFilename matches "*Favicons*"
| where !(Image matches "*\\chrome.exe"
OR Image matches "*\\msedge.exe"
OR Image matches "*\\firefox.exe"
OR Image matches "*\\brave.exe"
OR Image matches "*\\chromium.exe"
OR Image matches "*\\vivaldi.exe"
OR Image matches "*\\opera.exe"
OR Image matches "*\\msedgewebview2.exe"
OR Image matches "*\\MicrosoftEdge.exe"
OR Image matches "*\\MsMpEng.exe"
OR Image matches "*\\SearchIndexer.exe"
OR Image matches "*\\SgrmBroker.exe"
OR Image matches "*\\CompatTelRunner.exe"
OR Image matches "*\\TiWorker.exe")
| if (Image matches "*powershell*" OR Image matches "*pwsh.exe" OR Image matches "*cmd.exe" OR Image matches "*wscript.exe" OR Image matches "*cscript.exe" OR Image matches "*mshta.exe", 1, 0) as IsScriptEngine
| if (Image matches "*python3.exe" OR Image matches "*python.exe" OR Image matches "*pythonw.exe", 1, 0) as IsPython
| if (Image matches "*7z.exe" OR Image matches "*winrar.exe" OR Image matches "*robocopy.exe" OR Image matches "*xcopy.exe" OR Image matches "*tar.exe", 1, 0) as IsArchiver
| if (Image matches "*\\Temp\\*" OR Image matches "*\\AppData\\Roaming\\*" OR Image matches "*\\Downloads\\*" OR Image matches "*\\Public\\*", 1, 0) as IsSuspiciousPath
| IsScriptEngine + IsPython + IsArchiver + IsSuspiciousPath as RiskScore
| if (TargetFilename matches "*Chrome*" OR TargetFilename matches "*chrome*", "Chrome",
if (TargetFilename matches "*Edge*" OR TargetFilename matches "*edge*", "Edge",
if (TargetFilename matches "*Firefox*" OR TargetFilename matches "*firefox*"
OR TargetFilename matches "*places.sqlite*"
OR TargetFilename matches "*logins.json*"
OR TargetFilename matches "*key4.db*", "Firefox",
if (TargetFilename matches "*Brave*" OR TargetFilename matches "*brave*", "Brave",
if (TargetFilename matches "*Vivaldi*", "Vivaldi", "Unknown"))))) as BrowserTarget
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, BrowserTarget, IsScriptEngine, IsPython, IsArchiver, IsSuspiciousPath, RiskScore
| sort by RiskScore, _messageTimeSumo Logic query detecting T1217 Browser Information Discovery via Sysmon EventID 11 file creation events. Identifies non-browser and non-system processes targeting browser credential, history, and session storage files across Chrome, Edge, Firefox, Brave, Opera, and Vivaldi profile directories. Applies risk scoring based on initiating process classification.
Data Sources
Required Tables
False Positives & Tuning
- Sumo Logic's own Installed Collector agent or other log aggregation agents (Splunk UF, NXLog, Winlogbeat) may briefly access filesystem paths during log source configuration validation or broad file monitoring rule evaluation
- Corporate data loss prevention (DLP) solutions (Symantec DLP, Forcepoint) performing content inspection of browser storage files to enforce policy against sensitive data caching in browsers
- Endpoint detection and response platforms performing scheduled baseline snapshots or continuous file integrity monitoring of browser profile directories as part of their threat detection engine
Other platforms for T1217
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Copy Chrome History and Bookmarks
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine referencing 'Chrome\User Data\Default\History' and 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create — TargetFilename matching $TEMP\browser_data_test\History and $TEMP\browser_data_test\Bookmarks, with Image=powershell.exe. DeviceFileEvents ActionType=FileCopied for both files.
- Test 2CMD Directory Enumeration of Firefox Profiles
Expected signal: Sysmon Event ID 1: Process Create — cmd.exe with CommandLine containing '%APPDATA%\Mozilla\Firefox\Profiles\'. Security Event ID 4688 (if process command line auditing enabled). No file creation events from dir enumeration, but process command line is the primary indicator.
- Test 3Python SQLite Query Against Chrome History
Expected signal: Sysmon Event ID 1: Process Create — python.exe with CommandLine referencing '%LOCALAPPDATA%\Google\Chrome\User Data\Default\History' and 'sqlite3'. Sysmon Event ID 11: File Create — TargetFilename=$TEMP\hist_tmp.db with Image=python.exe. DeviceFileEvents ActionType=FileCopied for History file.
- Test 4PowerShell Read Chrome Bookmarks for Internal Resource Discovery
Expected signal: Sysmon Event ID 1: Process Create — powershell.exe with CommandLine containing 'Chrome\User Data\Default\Bookmarks'. Sysmon Event ID 11: File Create may not fire for read-only access; rely on DeviceFileEvents ActionType=FileRead in MDE. PowerShell Script Block Log Event ID 4104 captures the full script including ConvertFrom-Json parsing logic.
- Test 5Linux Shell Script Collecting Firefox and Chrome Browser Data
Expected signal: Linux auditd: syscall execve for bash/sh with browser path arguments, and open/read syscalls on ~/.mozilla/firefox/*/places.sqlite and ~/.config/google-chrome/Default/History. Syslog entries if auditd rules are configured for home directory access. Linux file access events in Sysmon for Linux (if deployed): EventCode=11 for file creation in /tmp/browser_staging.
References (9)
- https://attack.mitre.org/techniques/T1217/
- https://support.google.com/chrome/a/answer/7349337
- https://www.kaspersky.com/blog/browser-data-theft/27871/
- https://securelist.com/calisto-trojan-for-macos/86543/
- https://www.sentinelone.com/labs/metador-investigating-an-elusive-apt/
- https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.splunk.com/en_us/blog/security/detecting-redline-stealer.html
Unlock Pro Content
Get the full detection package for T1217 including response playbook, investigation guide, and atomic red team tests.