An attacker leveraged a PowerShell command on a Windows host to enumerate browser bookmark files across all user profiles. Examine the process execution logs to determine the exact filename that was being searched for.

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "Get-ChildItem" or ProcessCommandLine has "dir" | where ProcessCommandLine has @"C:\Users\" | where ProcessCommandLine has "Bookmarks" or ProcessCommandLine has "places.sqlite" or ProcessCommandLine has "*.html" or ProcessCommandLine has "*.url" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Bookmarks", "bookmarks", "Bookmarks.bak", "Favorites", "favorites.db", "favicons.db", "places.sqlite", "user_data") | extend SearchedFile = extract(@"(Bookmarks(\\.bak)?|favorites\\.db|favicons\\.db|places\\.sqlite|user_data)", 0, ProcessCommandLine) | where isnotempty(SearchedFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, SearchedFile

// Step 1: Find PowerShell events related to Chrome Bookmark DeviceProcessEvents | where InitiatingProcessCommandLine has "Bookmarks" and InitiatingProcessCommandLine has "Chrome" // Step 2: Extract the exact filename being searched for | summarize arg_max(Timestamp, *) by InitiatingProcessCommandLine | extend RawFileName = extract(@'Open-FileName\s+"?([a-zA-Z0-9 _.-]*)', 1, InitiatingProcessCommandLine) // Step 3: Clean up the filename value | extend Filename = trim("\"", RawFileName) | project Filename, InitiatingProcessCommandLine, AccountName, DeviceName, Timestamp // Step 4: Keep the latest entry if there are duplicates | summarize arg_max(Timestamp, *) by Filename | sort by Filename asc

DeviceProcessEvents | where InitiatingProcessFileName contains "powershell" | where ProcessCommandLine has_any (".url", ".website", "bookmarks", "favorites", ".json", ".adr", ".bookmark", ".dat", ".txt") | extend SearchedFilePattern = extract(@"([\w:\\\/\._\-]+\.(url|website|json|adr|txt|dat|bookmark|favorites?))", 0, ProcessCommandLine) | where isnotempty(SearchedFilePattern) | summarize Count = count(), Devices = make_set(DeviceName), Users = make_set(InitiatingProcessAccountName) by SearchedFilePattern | order by Count desc | project SearchedFilePattern, Count, Devices, Users

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where tolower(Cmd) contains "powershell" // Narrow to commands that look like directory enumeration/search or reference user profile paths | where Cmd has_any ("Get-ChildItem","gci","-Filter","-Include","Select-String","Get-Item","-Recurse") or Cmd matches regex "Users[\\\\/]" // Extract candidate filename or search tokens that reference common bookmark artifacts (case-insensitive) | extend candidates = extract_all(@"(?i)([^\s'\""]*(?:bookmark|bookmarks|places\.sqlite|favorites)[^\s'\""]*)", Cmd) | mv-expand candidate = candidates to typeof(string) | where isnotempty(candidate) | project TimeGenerated, DeviceName, AccountName, ProcessId, InitiatingProcessFileName, Cmd, candidate | summarize Count = count(), Devices = make_set(DeviceName,10), ExampleTime = min(TimeGenerated), ExampleCmd = any(Cmd) by candidate | order by Count desc

DeviceProcessEvents | where FileName endswith "powershell.exe" | where ProcessCommandLine contains "Get-ChildItem" or ProcessCommandLine contains "dir" or ProcessCommandLine contains "bookmarks" | project DeviceName, Timestamp, ProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FileName) contains "powershell" or tolower(InitiatingProcessFileName) contains "powershell" | where tolower(ProcessCommandLine) contains "bookmark" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, FileName | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where tolower(ProcessCommandLine) contains "bookmark" or tolower(ProcessCommandLine) contains "favorites" | project TimeGenerated, DeviceName, AccountDomain, AccountName, FolderPath, ProcessCommandLine

let PowerShellNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); DeviceProcessEvents | where FileName in~ (PowerShellNames) | where ActionType == "ProcessCreated" // focus on commands that mention browser-bookmark artefacts | where ProcessCommandLine has_any ("bookmark","Bookmarks","places.sqlite","Favicons","favorites") // try to extract the concrete artefact/filename that was supplied | extend SearchedFile = extract('(?i)(Bookmarks(?:\\.json|\\.sqlite|\\.bak)?|places\\.sqlite|Favicons(?:\\.db)?)',1,ProcessCommandLine) | extend SearchedFile = iff(isempty(SearchedFile), extract('(?i)-Filter\\s+[\'\"]?([^\\s\'\"]+)',1,ProcessCommandLine), SearchedFile) | where isnotempty(SearchedFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, SearchedFile | summarize Executions=count(), Hosts=make_set(DeviceName,20) by SearchedFile | order by Executions desc