Description
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has collected sensitive browser data using the function `GetBrowserData()` to include login credentia... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Google Chrome bookmarks to identify internal resources and assets.(Citation: CISA AA20-25... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has targeted the browsing history of network administrators.(Citation: CISA AA24-038A PRC Critic... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has collected browser bookmark information to learn more about compromised hosts, obtain personal infor... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser histories via infostealer malware such as Raccoon Stealer.(Citation: CISA ... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) deployed malware such as YouieLoader capable of capturing victim system browser information.(... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>type \\<hostname>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*... |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) collects information on bookmarks from Google Chrome.(Citation: Securelist Calisto July 2018) |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can retrieve browser history and database files.(Citation: Threatpost Lizar May 2021)(Citation: BiZon... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.(Citation: ESET M... |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) can monitor browser activity for online banking actions and display full-screen overlay images to b... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has searched the victim device for browser extensions including those commonly associated with c... |
| S1012 | PowerLess | Malware | [PowerLess](https://attack.mitre.org/software/S1012) has a browser info stealer module that can read Chrome and Edge browser database files.(Citation:... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) can retrieve browser history.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can retrieve browser history.(Citation: Prevailion DarkWatchman 2021) |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can collect the contents of the `%USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState` fi... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has the ability to gather browser data such as bookmarks and visited sites.(Citation: Github PowerSh... |
| S1185 | LightSpy | Malware | To collect data on the host's Wi-Fi connection history, [LightSpy](https://attack.mitre.org/software/S1185) reads the `/Library/Preferences/SystemConf... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) can collect information from browsers and browser extensions.(Citation: Splunk RedLine Stea... |
| S1042 | SUGARDUMP | Malware | [SUGARDUMP](https://attack.mitre.org/software/S1042) has collected browser bookmark and history information.(Citation: Mandiant UNC3890 Aug 2022) |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has searched browser data for cookies, history, login databases, and cryptocurrency wallets.(Cita... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) collects information from Chromium-based browsers and Firefox such as cookies, history, downl... |
| S0079 | MobileOrder | Malware | [MobileOrder](https://attack.mitre.org/software/S0079) has a command to upload to its C2 server victim browser bookmarks.(Citation: Scarlet Mimic Jan ... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has identified and gathered information from two-factor authentication extensions for multipl... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can collect bookmarks, cookies, and history from Safari.(Citation: Kandji Cuckoo April 2024) |
References
- Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.
- Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.
Frequently Asked Questions
What is T1217 (Browser Information Discovery)?
T1217 is a MITRE ATT&CK technique named 'Browser Information Discovery'. It belongs to the Discovery tactic(s). Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of pe...
How can T1217 be detected?
Detection of T1217 (Browser Information Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1217?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1217?
Known threat groups using T1217 include: Kimsuky, Fox Kitten, Volt Typhoon, APT38, Scattered Spider, Moonstone Sleet, Chimera.