Browser Bookmark Discovery

Information

• Name: Browser Information Discovery

• ID: T1217

• Tactics: TA0007

Introduction

Browser Bookmark Discovery is categorized under the MITRE ATT&CK framework as a discovery technique (T1217) used by adversaries to gather intelligence on compromised systems. Attackers leverage browser bookmarks to identify sensitive internal URLs, web applications, intranet resources, cloud services, and user-specific interests. This information can guide further exploitation, lateral movement, and targeted phishing attacks, enhancing the attacker’s understanding of the victim’s environment and potential vulnerabilities.

Deep Dive Into Technique

Browser bookmarks typically contain URLs frequently accessed or deemed important by users, often including internal or private resources. Attackers can exploit this by:

• Accessing browser-specific bookmark storage locations:

  • Chrome stores bookmarks in Bookmarks and Bookmarks.bak files located in:

    • Windows: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Bookmarks

    • macOS: ~/Library/Application Support/Google/Chrome/Default/Bookmarks

    • Linux: ~/.config/google-chrome/Default/Bookmarks

  • Firefox bookmarks are stored within SQLite databases (places.sqlite) located in:

    • Windows: %APPDATA%\Mozilla\Firefox\Profiles\<profile>\places.sqlite

    • macOS: ~/Library/Application Support/Firefox/Profiles/<profile>/places.sqlite

    • Linux: ~/.mozilla/firefox/<profile>/places.sqlite

  • Edge stores bookmarks similarly to Chrome, in JSON files within:

    • Windows: %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Bookmarks

• Extracting bookmark data using scripts or tools capable of parsing JSON or SQLite databases.

• Automating extraction via custom scripts or leveraging post-exploitation frameworks such as Metasploit, Cobalt Strike, or Empire.

• Analyzing extracted URLs for sensitive internal resources, cloud services, or administrative portals.

Attackers commonly automate this technique to quickly enumerate valuable internal resources and pivot points within the compromised environment.

When this Technique is Usually Used

Attackers typically employ Browser Bookmark Discovery during the following scenarios and stages:

• Initial Reconnaissance and Discovery Phase: Immediately after gaining initial access, attackers seek to understand the victim’s environment and identify high-value targets.

• Lateral Movement and Privilege Escalation: Bookmark data can reveal internal applications, portals, and administrative interfaces, facilitating lateral movement and privilege escalation.

• Targeted Phishing Campaigns: Bookmarks often indicate user interests and critical resources, allowing attackers to craft highly personalized and convincing phishing emails.

• Persistence and Long-Term Access: Attackers may periodically extract bookmarks to monitor changes in organizational resources, identifying new opportunities for exploitation or lateral movement.

• Data Exfiltration Planning: Understanding internal resources helps attackers identify valuable data repositories and plan efficient data exfiltration methods.

How this Technique is Usually Detected

Organizations can detect Browser Bookmark Discovery through various methods, tools, and indicators of compromise (IoCs):

• Endpoint Monitoring and Detection Tools:

  • Endpoint Detection and Response (EDR) solutions (CrowdStrike Falcon, Carbon Black, Microsoft Defender ATP) can detect suspicious file access to bookmark files.

  • File integrity monitoring (FIM) tools can alert on unauthorized access or modification of bookmark files.

• Behavioral Analytics and Anomaly Detection:

  • Security Information and Event Management (SIEM) platforms (Splunk, QRadar, Elastic Security) can detect unusual file access patterns or abnormal processes attempting to access browser data.

  • User and Entity Behavior Analytics (UEBA) can identify deviations from normal user behavior, such as unexpected access to browser files from uncommon processes or accounts.

• Audit Logging and Monitoring:

  • Monitor access to bookmark storage locations and databases using OS-level audit logging (Windows Event Logs, Linux auditd).

  • Track unusual process executions, especially scripts or command-line tools used to parse JSON or SQLite files.

• Indicators of Compromise (IoCs):

  • Presence of unauthorized scripts or tools capable of parsing bookmark files.

  • Unusual access timestamps or file read events on bookmark files.

  • Evidence of bookmark file copies or transfers to external or temporary locations.

Why it is Important to Detect This Technique

Early detection of Browser Bookmark Discovery is critical for several reasons:

• Prevention of Lateral Movement: Bookmarks often contain internal URLs and administrative portals, making them valuable intelligence for lateral movement. Detecting early prevents attackers from leveraging this information.

• Mitigation of Targeted Attacks: Early detection helps prevent attackers from crafting targeted phishing campaigns or exploiting sensitive internal resources.

• Protection of Sensitive Information: Bookmarks may include confidential or sensitive URLs to internal applications, cloud services, or administrative interfaces, posing significant risks if compromised.

• Avoiding Data Exfiltration: Identifying this technique early prevents attackers from gaining insight into critical data repositories, reducing the risk of data breaches or unauthorized data exfiltration.

• Incident Containment and Response: Detecting bookmark discovery activity allows security teams to promptly investigate, contain, and remediate incidents before attackers escalate privileges or cause extensive damage.

Examples

Real-world examples illustrating Browser Bookmark Discovery include:

• APT Groups and Nation-State Actors:

  • Advanced Persistent Threat (APT) groups frequently utilize bookmark discovery techniques during initial reconnaissance phases to identify sensitive internal resources within targeted organizations.

  • APT29 (Cozy Bear) and APT28 (Fancy Bear) have been known to leverage browser artifacts, including bookmarks, to enhance reconnaissance and lateral movement capabilities.

• Red Team and Penetration Testing Tools:

  • Metasploit Framework includes modules for extracting browser bookmarks from compromised systems, demonstrating the ease of automating this technique.

  • Cobalt Strike and Empire frameworks provide capabilities for bookmark extraction as part of post-exploitation activities, widely used by penetration testers and adversaries alike.

• Commodity Malware and Infostealers:

  • Infostealer malware variants such as RedLine Stealer, Vidar, and Raccoon Stealer routinely target browser bookmarks to harvest sensitive URLs, credentials, and user interests for monetization or further exploitation.

  • Credential harvesting malware often includes bookmark extraction functionality to identify high-value targets like banking portals, cloud services, and internal corporate resources.

• Incident Case Studies:

  • During the SolarWinds supply chain compromise, adversaries leveraged browser data, including bookmarks, to identify internal resources and facilitate lateral movement within victim networks.

  • Investigations into ransomware incidents often reveal attackers initially extracting browser bookmarks to identify critical internal applications, file shares, and cloud storage locations for targeted encryption and extortion efforts.