ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR003.004
  • Created: 31st May 2024
  • Updated: 26th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Installing Browser Extensions

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

Prevention

ID Name Description
PV003Enforce an Acceptable Use Policy

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT060Chrome Browser Extensions

Google's Chrome browser stores details about any browser extensions that are installed, providing the user with additional functionality.

 

On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Extensions. Several directories will be listed, each one representing an installed extension. The directories and files inside, notably 'manifest.json', will contain information about the extension and its functionality. This can be combined with OSINT to learn more about the extension.

DT019Chrome Browser History

Google's Chrome browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT018Edge Browser History

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT017Firefox Browser History

Mozilla's Firefox browser stores the history of accessed websites.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

 

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.