Share this page!

Maybe Scrolly?
Dray Agha Profile picture
Twitter logo
Feb 28 19 tweets 6 min read
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too.
C͟h͟r͟o͟m͟e͟ ͟&͟ ͟E͟d͟g͟e͟
Both built on Chromium

You find the history database in the following paths:

Chrome:
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History

Edge:
C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History
‘sqlite3’ can open up our database files
Then, to see how the data is organised, run ‘.tables’ to see what options we can delve deeper into.
If you just run ‘select * from downloads;’ , you’ll be annoyed by the messy output
To transform the data to something more useful to look at, try this, which will open it up in excel:

.excel
.headers on
select * from downloads;

And then if you tidy this up it's easy to see what the user downloaded and from where
Edge is essentially the same as Chrome, but with path variations
S͟a͟f͟a͟r͟i

Safari’s data can be found in the directory : /System/Volumes/Data/Users/*/Library/Safari/

You can use the files Downloads.plist and History.db
For the History database, we can 'select * from history_items;'
And for the .plist, because we’re lazy we can just strings the file.
F͟i͟r͟e͟f͟o͟x

For Firefox, we’ll go to: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\

And we get the files Downloads.json and Places.sqlite
For the JSON, I’d just take it to CyberChef and pretty it up
gchq.github.io/CyberChef/#rec…
Again we can use sqlite3 for Places.sqlite

And then execute `select * from moz_places;`
But the above looks awful! I have a formatting tip for you that will make it a more enjoyable read:

.mode line
select * from moz_places;
If you’d rather not mess around with command line, you can always find a visualiser that lets you upload your database.

But be careful to not just upload data to any random website….
You may see a suspicious URL amongst this data.

You can take it to Virus total : virustotal.com/gui/search/

Or, to go and see for yourself, go to Urlscan : urlscan.io
I hope this crash-course thread has discussed some tools and methods that will help you explore other forensic artefacts that can help you in web browser investigations 💪

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Feb 19
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
Read 13 tweets
Dray Agha Profile picture
Feb 13
This is a cool bit of offensive Nim from @WhyDee86

Let's unravel this from a Defenders point of view 🧵

We'll start with some basic reverse engineering analysis, and then move into monitoring this from an ELK stack

TLDR: A decent SIEM setup will catch this.
Let's start off by compiling it.

We'll then analyse it like we don't know the source code, and we're investigating malware on a machine.

If your compile fails, you'll likely need to download winim library.

[Winim github.com/khchen/winim#i…]
First, let's throw StringSifter at the EXE.

What catches my eye are the ranked strings to do with NIM as well as the AMSI DLL reference.

From a basic strings, I'd already be sus of an unknown EXE like this on a host.

[StringSifter github.com/mandiant/strin…]
Read 15 tweets
Dray Agha Profile picture
Feb 7
This is awesome, thank you @x86matthew.

I wanted to share a blue team perspective on monitoring and hunting for this kind of LNK -> EXE bamboozling

We'll use the example PoC if that's alright with you 🧵
Let's execute the PoC of the .LNK, which brings a pop up.

@x86matthew was kind enough to create a non-malicious PoC. But of course an adversary will not be so kind.

So let's take a look at our logs: Image
Let's assume we're rolling with SysMon.

We get an Event 11 for a strange tmp*.exe being created. This of course could be called something different if re-engineered by an adversary IRL.

But for now let's focus on this tmp*.exe Image
Read 8 tweets
Dray Agha Profile picture
Nov 22, 2021
This article contains DFIR techniques I've used IRL, in investigations where the event logs can't be used.

The real hard work has been done by the articles' referenced tool creators and educators
@davisrichardg / @13CubedDFIR
@scudette / @velocidex
@EricRZimmerman
🧵
1/6
The first technique in the article discusses how to retrieve the PowerShell history for every user account via the 'ConsoleHost_History file' (typically enabled on Windows 10 endpoints)
2/6
The second leverages @EricRZimmerman's PECmd tool to examine Prefetch, an application caching system that we can use to evidence execution
3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @Purp1eW0lf has new unrolls!

Check out other threads from @Purp1eW0lf!

Read all threads by @Purp1eW0lf

:(