Suspicious Where Execution

calendar Aug 12, 2024 · attack.discovery attack.t1217  ·
Share on: linkedin copy

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Sigma rule (View on GitHub)

 1title: Suspicious Where Execution
 2id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a
 3status: test
 4description: |
 5    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
 6    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
 7    internal network resources such as servers, tools/dashboards, or other related infrastructure.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
10author: frack113, Nasreddine Bencherchali (Nextron Systems)
11date: 2021-12-13
12modified: 2022-06-29
13tags:
14    - attack.discovery
15    - attack.t1217
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    where_exe:
21        - Image|endswith: '\where.exe'
22        - OriginalFileName: 'where.exe'
23    where_opt:
24        CommandLine|contains:
25            # Firefox Data
26            - 'places.sqlite'
27            - 'cookies.sqlite'
28            - 'formhistory.sqlite'
29            - 'logins.json'
30            - 'key4.db'
31            - 'key3.db'
32            - 'sessionstore.jsonlz4'
33            # Chrome Data
34            - 'History'
35            - 'Bookmarks'
36            - 'Cookies'
37            - 'Login Data'
38    condition: all of where_*
39falsepositives:
40    - Unknown
41level: low

References

Related rules

to-top