🍎

T1217

Browser Information Discovery

Description from ATT&CK

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)

Tests

Test #1 - Capture currently opened Safari URL

Adversaries use osascript to gather information about the victim's browsing habits and preferences.

tell application "safari"
  set curURL to URL in front document
  return curURL
end tell

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1124

System Time Discovery

T1489

Service Stop

On this page

Description from ATT&CK
Tests
Test #1 - Capture currently opened Safari URL
References