Detect Browser Bookmark Discovery Techniques on Windows using KQL
Hi Medium! Here we are again with a new article about Sentinel in our series, we will talk today about how we can use Atomic Red to run Discovery techniques, and how to use KQL in detecting Browser Bookmark Discovery Techniques, I will have different articles on the same topic, so stay tuned 😊
This article will cover the following:
What is Atomic Red?
What is KQL in Sentinel?
My Setup
What we will do?
Browser Bookmark Discovery T1217
Why it is important to track Browser Bookmark discovery
Atomic Red Test Simulation
Detect Atomic Test #4,5,6,7 — List Google Chrome / Opera Bookmarks on Windows with powershell
Conclusion
What is Atomic Red?
Atomic Red Team is a library of tests that every security team can execute to simulate adversarial activity and validate their defenses. For more details on how to use it you can check my previous article: Simulate Discovery Techniques on Windows via Atomic Red
What is KQL in Sentinel?
Kusto Query Language is the language you will use to work with and manipulate data in Microsoft Sentinel. The logs you feed into your workspace aren’t worth much if you can’t analyze them and get the important information hidden in all that data. — More
My Setup
My setup is all hosted on Azure cloud, where I have one machine to simulate testing attacks on it and Sentinel to collect logs, you can follow those articles to have the same setup:
What we will do?
In this article and the next ones, I will share with you how you can detect those techniques in Sentinel, using the same KQL I am sharing with you, you can use it to create alerts in your Sentinel to detect future threats. You can check the following article to create alerts in your Sentinel, Detect and Alert on Sentinel
Browser Bookmark Discovery T1217
Technique marked by T1217, that does not only focus on bookmarks but more on browser details and informations.
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. Link
Personal details are always important even to threaten someone in a company or to build a case on half true informations, countless amount of examples; “Anyone checked Google and thought he do have cancer, playing on those weak points, can get people interest to click on things!”
From a company perspective, you can have a list of GUI used to monitor the network performance or even execute commands on remote servers, in a gue IPv6 network, suck information are like DIAMONDS 💠 ❌ 👹
Why it is important to track Browser Bookmark discovery
It’s always important to watch who is watching you, from my view the first thing I try to gather if I have no guaranty that my session will stay open ona targeted victim, is to collect browsing details, no idea how useful, is like tracking someone where he goes every day but on internet, give it a try:
Watch your bookmarks over time and you will know yourself better… !
Atomic Red Test Simulation
Before we run anything, we need to have an idea about some details, most of browser stores their bookmarks in the same default document. Happy Mister attacker can run the same script always 😛.
Under this method we have 9 tests, that we can run all, but some of them are dedicated to MacOS, Linux, Windows and Others, you can check this link for more details.
For this time we will focus on Windows, so we are interested in Test 5, 6, 7, and 8.
- Test 5: List Google Chrome / Opera Bookmarks on Windows with powershell
Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force
- Test 6: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
where /R C:\Users\ Bookmarks
- Test 7: List Mozilla Firefox bookmarks on Windows with command prompt
where /R C:\Users\ places.sqlite
- Test 8: List Internet Explorer Bookmarks using the command prompt
dir /s /b %USERPROFILE%\Favorites
All details can be found on the link shared previously of Atomic Red.
Detect Atomic Test #5,6,7,8 — List Google Chrome / Opera Bookmarks on Windows with Powershell
For detection here, we have many options, we can set a rule on the files, as we can simply detect when those files are checked by the commands we listed above.
For Sentinel, what I always advise is to try to catch the main action behind bookmarks, to make sure that even if the attacker tries to evade detection he will end up detected :P
The simple code I used here, is the following:
Sysmon_Event_Parser
| extend process = case(process_command_line contains "Bookmarks", process_command_line,
process_command_line contains "places.sqlite", process_command_line,
process_command_line contains "Favorites", process_command_line,
"")
| where isnotempty(process)
I know it’s simple but I would love that you share with me other propositions and better code.
For a hint I am sharing with you some useful resources:
Conclusion
In this article, we showed how we can detect widows browser bookmark techniques using KQL, stay tuned for the rest of the techniques in the article that will follow.
I hope that you enjoyed the article, please let me know if there is something to improve or to change in the comment section 😏
You can check similar articles and other resources used for this article:
Connect with me for more details LinkedIn