Detections
- Home
- - Detections
- -DT017
- ID: DT017
- Created: 30th May 2024
- Updated: 25th July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
Firefox Browser History
Mozilla's Firefox browser stores the history of accessed websites.
On Windows, this information is stored in the following location:
C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\
On macOS:
/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/
On Linux:
/home/<Username>/.mozilla/firefox/<Profile Name>/
In this location two database files are relevant, places.sqlite
(browser history and bookmarks) and favicons.sqlite
(favicons for visited websites and bookmarks).
These database files can be opened in software such as DB Browser For SQLite.
Sections
ID | Name | Description |
---|---|---|
IF001 | Exfiltration via Web Service | A subject uses an existing, legitimate external Web service to exfiltrate data |
IF007 | Unlawfully Accessing Copyrighted Material | A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites. |
IF008 | Inappropriate Web Browsing | A subject accesses web content that is deemed inappropriate by the organization. |
IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
IF010 | Exfiltration via Email | A subject uses electronic mail to exfiltrate data. |
PR005 | IT Ticketing System Exploration | A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information. |
ME006 | Web Access | A subject can access the web with an organization device. |
IF016 | Misappropriation of Funds | A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices. |
IF018 | Sharing on AI Chatbot Platforms | A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information. |
PR023 | Suspicious Web Browsing | A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event. |
IF001.001 | Exfiltration via Cloud Storage | A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF001.002 | Exfiltration via Code Repository | A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF001.003 | Exfiltration via Text Storage Sites | A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF001.004 | Exfiltration via Webhook | A subject may use an existing, legitimate external Web service to exfiltrate data |
IF007.001 | Downloading Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material. |
IF007.003 | Distributing Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material. |
IF008.001 | Lawful Pornography | A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment. |
IF008.002 | Unlawful Pornography | A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law. |
IF008.003 | Terrorist Content | A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism). |
IF008.004 | Extremist Content | A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups. |
IF008.005 | Gambling | A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.006 | Inappropriate Usage of Social Media | A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image. |
IF008.007 | Gaming | A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.008 | Other Inappropriate Content | A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF005.002 | Exfiltration via Web-Based Messaging Application | A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system. |
IF007.002 | Streaming Copyrighted Material | A subject accesses a website that allows for the unauthorized streaming of copyrighted material. |
ME006.001 | Webmail | A subject can access personal webmail services in a browser. |
ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. |
ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. |
ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). |
ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. |
ME006.006 | Code Repositories | A subject can access websites used to access or manage code repositories. |
IF016.001 | Misuse of a Corporate Card | A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use. |
IF016.004 | Insider Trading | A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company. |
IF016.002 | Unauthorized Bank Transfers | A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party. |
IF009.003 | Unintentionally Introducing Malware | A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering. |
IF009.002 | Inappropriate Software | A subject installs software that is not considered appropriate by the organization. |
IF009.001 | Unwanted Software | A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”. |
IF004.003 | Exfiltration via Personal NAS Device | A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data. |
PR003.004 | Installing Browser Extensions | A subject can install unapproved browser extensions that provide additional features and functionality to the browser. |
IF001.005 | Exfiltration via Note-Taking Web Services | A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. |
ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. |
PR004.002 | Collaboration Platform Exploration | A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information. |
IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account. |
IF018.001 | Exfiltration via AI Chatbot Platform History | A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system. |
IF018.002 | Reckless Sharing on AI Chatbot Platforms | A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information. |