From ba841eba7a0a3c225e00e29c4d950df7e3fdc4f3 Mon Sep 17 00:00:00 2001 From: sree siva likhitha kothalanka <131431317+likhitha0541@users.noreply.github.com> Date: Wed, 24 Jul 2024 20:01:17 +0530 Subject: [PATCH] Update T1217.yaml (#2876) * Update T1217.yaml This test will extract Microsoft Edge browser's history of current user * Update T1217.yaml * Update T1217.yaml * remove duplicate test * Update T1217.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1217/T1217.yaml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml index 9d3ad9f4f5..efeeb934f5 100644 --- a/atomics/T1217/T1217.yaml +++ b/atomics/T1217/T1217.yaml @@ -133,3 +133,43 @@ atomic_tests: cleanup_command: | rm -f #{output_file} 2>/dev/null name: sh + +- name: Extract Edge Browsing History + description: | + This test will extract Microsoft Edge browser's history of current user + supported_platforms: + - windows + input_arguments: + history_path: + description: Microsoft Edge browser history file path + type: String + default: $Env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\History + dest_path: + description: Target file path to where the history to be extracted + type: String + default: $Env:USERPROFILE\Downloads\edgebrowsinghistory.txt + executor: + command: | + $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' + $History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique + $History | Out-File -FilePath "#{dest_path}" + cleanup_command: | + Remove-Item -Path "#{dest_path}" + name: powershell + elevation_required: true + +- name: Extract chrome Browsing History + description: | + This test will extract browsing history of the chrome user + supported_platforms: + - windows + executor: + command: | + $Username = (whoami).Split('\')[1] + $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' + $History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique + $History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt" + cleanup_command: | + Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt" + name: powershell + elevation_required: true