Suspicious Where Execution

Severity: low
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1217` Browser Information Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of where_exe`

or:
Image|endswith: '\where.exe'
OriginalFileName: where.exe

Stage 2: `all of where_opt`

or:
CommandLine|contains: Bookmarks
CommandLine|contains: Cookies
CommandLine|contains: History
CommandLine|contains: 'Login Data'
CommandLine|contains: cookies.sqlite
CommandLine|contains: formhistory.sqlite
CommandLine|contains: key3.db
CommandLine|contains: key4.db
CommandLine|contains: logins.json
CommandLine|contains: places.sqlite
CommandLine|contains: sessionstore.jsonlz4

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`Bookmarks` corpus 2 (sigma 2) `Cookies` corpus 2 (sigma 2) `History` corpus 2 (sigma 2) `Login Data` corpus 2 (sigma 2) `cookies.sqlite` corpus 2 (sigma 2) `formhistory.sqlite` `key3.db` `key4.db` `logins.json` `places.sqlite` corpus 2 (sigma 2) `sessionstore.jsonlz4`
`Image`	ends_with	`\where.exe`
`OriginalFileName`	eq	`where.exe`