Update T1217.yaml (#2876)

* Update T1217.yaml This test will extract Microsoft Edge browser's history of current user * Update T1217.yaml * Update T1217.yaml * remove duplicate test * Update T1217.yaml --------- Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Jul 24, 2024 · ba841eb · ba841eb
1 parent 3393964
commit ba841eb
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml
@@ -133,3 +133,43 @@ atomic_tests:
     cleanup_command: |
       rm -f #{output_file} 2>/dev/null
     name: sh
+
+- name: Extract Edge Browsing History
+  description: |
+    This test will extract Microsoft Edge browser's history of current user
+  supported_platforms:
+  - windows
+  input_arguments:
+    history_path:
+      description: Microsoft Edge browser history file path
+      type: String
+      default: $Env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\History
+    dest_path:
+      description: Target file path to where the history to be extracted
+      type: String
+      default: $Env:USERPROFILE\Downloads\edgebrowsinghistory.txt
+  executor:
+    command: |
+      $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+      $History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+      $History | Out-File -FilePath "#{dest_path}"
+    cleanup_command: |
+      Remove-Item -Path "#{dest_path}"
+    name: powershell
+    elevation_required: true
+
+- name: Extract chrome Browsing History
+  description: |
+    This test will extract browsing history of the chrome user
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $Username = (whoami).Split('\')[1]
+      $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+      $History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+      $History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+    cleanup_command: |
+      Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+    name: powershell
+    elevation_required: true