- Tactics
- Discovery
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1217
Description
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Discovery tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1033 — System Owner/User Discovery
- T1040 — Network Sniffing
- T1046 — Network Service Discovery
- T1049 — System Network Connections Discovery
- T1057 — Process Discovery
- T1069 — Permission Groups Discovery
- T1082 — System Information Discovery