T1217.md

T1217 - Browser Bookmark Discovery

Description from ATT&CK

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

Atomic Tests

• Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux

• Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS

• Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS

• Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell

• Atomic Test #5 - List Google Chrome Bookmarks on Windows with command prompt

Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux

Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: Linux

Attack Commands: Run with sh!

find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;

Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS

Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: macOS

Attack Commands: Run with sh!

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;

Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS

Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.

Supported Platforms: macOS

Attack Commands: Run with sh!

find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt \;

Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell

Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.

Supported Platforms: Windows

Attack Commands: Run with powershell!

where.exe /R C:\Users\ Bookmarks

Atomic Test #5 - List Google Chrome Bookmarks on Windows with command prompt

Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

where /R C:\Users\ Bookmarks