Microsoft Defender Alert Details
Alert ID: MD-BOOKMARK-DISCOVERY-1217-7842 Alert Time: 2024-02-23 16:30:45 EST Severity: MEDIUM (68/100) Source: Microsoft Defender for Endpoint Rule: “Browser Bookmark Access – Potential Reconnaissance” MITRE ATT&CK: T1217 – Browser Bookmark Discovery
Alert Details:
Detection: Process accessing browser bookmark files
Host: MKT-WS-112 (Marketing Workstation) User: sjones (Sarah Jones, Marketing Manager) Time: 16:25 EST
File Access Events:
16:25:10 – Process accessed: C:\Users\sjones\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
16:25:15 – Process accessed: C:\Users\sjones\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak
16:25:20 – Process accessed: C:\Users\sjones\AppData\Roaming\Mozilla\Firefox\Profiles*.default\places.sqlite
16:25:25 – Process accessed: C:\Users\sjones\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks
Process Details:
Process: C:\Temp\bookmark_viewer.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: sjones
Bookmark Categories Found:
“Corporate Banking” – 3 bookmarks
“VPN Access” – 2 bookmarks
“Internal Portals” – 5 bookmarks
“Cloud Services” – 8 bookmarks
“Vendor Portals” – 12 bookmarks
Total bookmarks: 147
Detection Logic:
Process accessing browser bookmark files (unusual)
Bookmarks contain sensitive/internal URLs
Process from Temp folder (suspicious)
Pattern matches reconnaissance for targeted attacks
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed bookmark access
2. Process Analysis
Analyze bookmark_viewer.exe
Defender Sandbox
Tool extracts and categorizes bookmarks
3. Immediate Action
Terminate process
Defender
Process killed
4. File Deletion
Delete bookmark_viewer.exe
Defender
File removed
5. User Interview
Contact sjones
Teams, Phone
User downloaded “bookmark manager” tool
6. Data Check
Verify exfiltration
Firewall Logs, DLP
No exfiltration detected
Jira Incident Report
Ticket: SOC-2024-119 Summary: T1217 – Browser Bookmark Discovery Tool Executed Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P3 – LOW Labels: T1217, bookmark-discovery, reconnaissance, defender, marketing Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Browser Bookmark Access – Potential Reconnaissance”.
Host: MKT-WS-112 (Marketing Department, user sjones).
Process: C:\Temp\bookmark_viewer.exe.
Time: 2024-02-23 16:30 EST.
Technique: MITRE ATT&CK T1217 – Browser Bookmark Discovery.
2. Technical Analysis:
Attack Chain:
16:15 – User searches for “bookmark manager tool”
16:16 – Downloads bookmark_viewer.exe from freeware site
16:17 – Executes tool
16:18-16:25 – Tool accesses Chrome, Firefox, Edge bookmarks
16:25 – Defender detects
16:26 – SOC investigates
Tool Analysis:
Name: bookmark_viewer.exe (legitimate bookmark manager, potentially abused)
SHA256: a1b2c3d4…
Capabilities:
Reads bookmarks from all major browsers
Categorizes bookmarks by folder
Exports to HTML/CSV
Attempts to phone home (blocked)
Bookmarks Discovered:
Internal Portals: Confluence, Jira, HR system, IT helpdesk, VPN
Cloud Services: Office 365, AWS, Azure, GCP, Salesforce
Vendor Portals: 12 different vendor login pages
Banking: Corporate banking, expense reporting
Total: 147 bookmarks with corporate/login information
Exfiltration Attempt:
Tool attempted to POST bookmark data to 185.143.221[.]89:8080
Connection blocked by firewall
No data exfiltrated
3. Investigation Findings:
Timeline:
16:15 – Tool downloaded
16:17 – Tool executed
16:18-16:25 – Bookmarks accessed
16:25 – Defender alert
16:26 – Process terminated
16:27 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Temp\bookmark_viewer.exe (SHA256: a1b2c3d4…)
– C:\Temp\bookmarks_export.html (partial)
Network:
– C2 attempt: 185.143.221[.]89:8080 (blocked)
4. Containment Actions:
Immediate Actions:
Terminated bookmark_viewer.exe.
Deleted executable and export file.
Blocked C2 IP at firewall.
Data Review:
Verified no exfiltration occurred.
Bookmarks unchanged.
User Remediation:
User counseled on downloading freeware.
Advised to use corporate-approved tools only.
5. Root Cause Analysis:
Primary Cause: User downloaded untrusted bookmark manager tool.
Contributing Factors:
No application control blocking unknown executables.
User unaware of risks of freeware tools.
6. Business Impact:
Operational Impact: None.
Data Exposure: Bookmark data accessed locally but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Created alert for bookmark file access by non-browser processes.
Enhanced application control policies.
Added bookmark exfiltration attempt to monitoring.
8. Conclusion:
A user downloaded a bookmark manager tool that accessed browser bookmarks containing internal and sensitive URLs. The tool attempted to exfiltrate the data, but was blocked. Defender detected the bookmark access and terminated the process.
Closure Rationale: Tool removed; data contained; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 17:30 EST