# T1217 Browser Bookmark Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

## Technique Detection

Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * Windows

  * macOS

### Adversary Required Permissions:

  * User

### Data Sources:

  * **File:** File Access

  * **Process:** Process Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Google Chrome bookmarks to identify internal resources and assets.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>type \\<hostname>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*</code> for bookmark discovery.(Citation: NCC Group Chimera January 2021)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1217)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use tools to enumerate a workstation’s browser bookmarks to discovery information.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla
- Empire has the ability to gather browser data such as bookmarks and visited sites.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1217 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md)
  * [Empire Project (github)](https://github.com/EmpireProject/Empire)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Bookmarks are often stored in the following locations:
```
    Chrome
        %USERPROFILE%\Local\Google\Chrome\User Data\Default\Bookmarks
    Firefox
        %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite
    InternetExplorer
        %USERPROFILE%\Favorites
```
- Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation (T1047) and PowerShell (T1059.001).
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

#### Analytic 1

  * **Information:** The where.exe with command line parameters such as “/R C:\Users\” and “Bookmarks” or “places.sqlite“ could be indicative of listing for Chrome or Firefox bookmark locations

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.name : where.exe or process.command.line : *Bookmarks* or *places.sqlite*```

#### Analytic 2

  * **Information:** Identify processes being spawned by cmd or PS to identify native or non-native tools being used. Note command line parameters for greater sight into activity.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.parent.name : cmd.exe or powershell.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

