valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-07 01:55:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f79f50bec3
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1217.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

1.9 KiB
Raw Blame History

T1217 - Browser Bookmark Discovery

Description from ATT&CK

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

Atomic Tests


Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux

Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: Linux

Run it with sh!

find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;


Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS

Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: macOS

Run it with sh!

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;