title: Browser Information Discovery (T1217)
id: df00tech-t1217
status: experimental
description: "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal personal information about users (banking sites, social media, relationships) as well as details about internal network resources such as servers, tools/dashboards, and other infrastructure. Browser information may also highlight additional targets after an adversary has access to valid credentials, especially credentials cached by browsers in Login Data or logins.json files. Specific storage locations vary by platform and application, but browser information is typically stored in local SQLite databases and JSON files under user profile directories."
references:
  - https://attack.mitre.org/techniques/T1217/
  - https://df00tech.com/detections/T1217
author: df00tech
date: 2026/04/13
tags:
  - attack.t1217
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software (Veeam, Acronis, Windows Backup) backing up user AppData directories including browser profiles"
  - "Enterprise endpoint management tools (Tanium, BigFix, SCCM inventory agents) performing asset scans of user profile contents"
  - "Password managers (1Password, Bitwarden, KeePass import utilities) reading browser data for credential import/migration workflows"
  - "Browser profile migration or sync tools (e.g., MigrationAssistant, PCmover) during workstation refresh cycles"
  - Security tools and DLP agents that scan browser storage as part of data classification or credential exposure monitoring
level: medium