-
Notifications
You must be signed in to change notification settings - Fork 496
/
NirsoftBrowserViewer.yaml
85 lines (74 loc) · 2.99 KB
/
NirsoftBrowserViewer.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Windows.Applications.NirsoftBrowserViewer
description: |
This artifact wraps the Nirsoft BrowsingHistoryView tool - a tool
for parsing browser history from a variety of browsers.
More information about the tool can be found here
https://www.nirsoft.net/utils/browsing_history_view.html
NOTE: This binary is treated as malware by many detection engines
since it is capable of dumping user passwords and search history!!!
Running it on the endpoint may (hopefully) trigger endpoint defences.
BrowsingHistoryView v2.55 - View browsing history of your Web browsers
Copyright (c) 2012 - 2023 Nir Sofer
tools:
- name: NirsoftBrowsingHistoryView64
url: https://github.com/Velocidex/Tools/raw/main/BrowsingHistoryView/BrowsingHistoryView-amd64.exe
expected_hash: c50d3f139bc7ed05fb0f5e25671ec0268b577d5930f27964291cc8747970f2c3
serve_locally: true
parameters:
- name: HistorySource
default: 1
description: Source of history data (1=All users).
- name: URLRegex
default: .
description: Filter URLs by this regex
type: regex
- name: DateAfter
type: timestamp
- name: DateBefore
type: timestamp
- name: AlsoUpload
type: bool
description: Also upload BrowsingHistoryView produced CSV file.
- name: PARSE_TZ
default: LOCAL
description: Default timezone for parsing timestamps
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- firstly set timebounds for performance
LET DateAfterTime <= if(condition=DateAfter,
then=timestamp(epoch=DateAfter), else=timestamp(epoch="1600-01-01"))
LET DateBeforeTime <= if(condition=DateBefore,
then=timestamp(epoch=DateBefore), else=timestamp(epoch="2200-01-01"))
LET CSVFile <= tempfile(extension='.csv')
-- Download the binary and create a csv file to write on.
LET tmp_exe = SELECT OSPath AS BinPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="NirsoftBrowsingHistoryView64")
LET results = SELECT CSVFile
FROM foreach(row=tmp_exe,
query={
SELECT CSVFile,
if(condition=AlsoUpload,
then=upload(file=CSVFile,
name="NirsoftBrowsingHistoryView.csv")) AS Upload
FROM execve(argv=[
BinPath,
"/VisitTimeFilterType", "1",
"/HistorySource", HistorySource, "/LoadIE", "1",
"/LoadFirefox", "1", "/LoadChrome", "1",
"/LoadSafari", "1",
"/scomma", CSVFile, "/SaveDirect"])
})
WHERE Upload OR TRUE
-- Filter the results by the user specs
SELECT * FROM foreach(row=results,
query={
-- This timestamp is in US style time and local time... boo :-(
SELECT *, timestamp(string=`Visit Time`,
format="1/2/2006 3:04:05 PM") AS Visited
FROM parse_csv(filename=CSVFile)
})
WHERE URL =~ URLRegex AND
Visited > DateAfterTime AND
Visited < DateBeforeTime