Forum Discussion
Get Users Browser History via Live Response
Hi,
Is the a way to download a remote users browser history for a certain period via Live Response? For example, I can do this manually on a machine (go to the browser>History>Export Browsing Data) that is connected when I have access to it either physically or when remoting on to it (latter isn't preferred as the user will know they are being investigated), and have all the data needed, but need to be able to run this via Live Response if possible when an investigation is raised and before Isolating/disabling the user.
I have tried via the below KQL, but that doesn't give me the full URL details, and just shows what sites were visited. Ran the below query in Sentinel as it allows you to go back further that Advanced Hunting, but messes up when looking for Chrome and Edge at the same time, so have to run individual searches. Also not a great query, but my skills in KQL are limited.
I separated out searches for Edge and Chrome separately as when search for both, the query fails to find anything, so needs to be done one at a time.
Defanged the URLs as unable to post the query otherwise
//Look for all URLs that the user has accessed via Edge
//Change Edge for chrome[.]exe is required
DeviceNetworkEvents
| where DeviceName contains "laptop-name"
//| where InitiatingProcessFileName == "msedge[.]exe"
| where InitiatingProcessFileName == "chrome[.]exe"
| where RemoteUrl != ""
2 Replies
- There is a getfile command that you can use. For Safari:
getfile /Users/[USERNAME]/Library/Safari/History.db - You can totally do this. You have to leverage a powershell script uploaded to the script library though.
Bear in mind though that when you're running scripts via live response it's going to be running at a system context and not the user of that host, so any user-level environment variables will be very different.
