Automated Collection Bookmarks Using Get-ChildItem PowerShell
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Sigma rule (View on GitHub)
1title: Automated Collection Bookmarks Using Get-ChildItem PowerShell
2id: e0565f5d-d420-4e02-8a68-ac00d864f9cf
3status: test
4description: |
5 Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
6 Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
7 internal network resources such as servers, tools/dashboards, or other related infrastructure.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
10author: frack113
11date: 2021-12-13
12modified: 2022-12-25
13tags:
14 - attack.discovery
15 - attack.t1217
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains|all:
23 - 'Get-ChildItem'
24 - ' -Recurse '
25 - ' -Path '
26 - ' -Filter Bookmarks'
27 - ' -ErrorAction SilentlyContinue'
28 - ' -Force'
29 condition: selection
30falsepositives:
31 - Unknown
32level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- File And SubFolder Enumeration Via Dir Command
- Suspicious Where Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule