Add Chromium's Notifications artifact #3212
Conversation
0xThiebaut
changed the title
|
I wonder if this is best in the SqliteHunter with all the other chromium artifacts? |
|
Even though it is not SQLite based? |
|
Yes exactly - the SQLiteHunter actually contains a lot of browser artifacts that are sqlite based these days for example extensions https://github.com/Velocidex/SQLiteHunter/blob/main/definitions/ChromiumBrowser_Extensions.yaml |
That "are" or "are not"? This artifact is JSON-based, not SQLite-based. More than happy to contribute it to the repository you prefer. |
|
Yeah sorry thats what I meant - SQLiteHunter contains all kinds of targets which are not always sqlite based at all The main interesting thing about the sqlitehunter is that it has the following steps:
So it is supposed to be as automated as possible - throw it at the endpoint and see what sticks. Any of the browser artifacts, OS artifacts etc should match within the time range of interest. |
|
Created Velocidex/SQLiteHunter#10 but I'll need to figure out the compiling later as the Example Development Walk Through doesn't work out of the box. |
Recover the Chromium notification preferences and associated interactions. Browser notifications may be leveraged for social engineering; This generic artifact recovers the Chromium (Google Chrome, Microsoft Edge, ...) notification preferences and associated interactions.
The notification preferences allow for the identification of which URLs may or may not send notifications. The associated interactions provide metrics on when notifications have been sent, their amount as well as whether the user interacted.
The following is a benign example after having interacted with Mozillas's example notifications.
