T1217.md

T1217 - Browser Bookmark Discovery

Description from ATT&CK

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials in Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

Atomic Tests

• Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux

• Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS

• Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS

• Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell

• Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.

• Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.

Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux

Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed.	Path	/tmp/T1217-Firefox.txt

Attack Commands: Run with sh!

find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm -f #{output_file} 2>/dev/null

Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS

Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.

Supported Platforms: macOS

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed.	Path	/tmp/T1217_Firefox.txt

Attack Commands: Run with sh!

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm -f #{output_file} 2>/dev/null

Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS

Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.

Supported Platforms: macOS

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed.	Path	/tmp/T1217-Chrome.txt

Attack Commands: Run with sh!

find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

Cleanup Commands:

rm -f #{output_file} 2>/dev/null

Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell

Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force

Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.

Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

where /R C:\Users\ Bookmarks

Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.

Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. Upon execution, paths that contain bookmark files will be displayed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

where /R C:\Users\ places.sqlite