Investigating web browser abuse for data exfiltration
As you already know from the previous chapters, ransomware affiliates abuse Remote Desktop Protocol (RDP) connections both for initial access and lateral movement quite often, so they can easily use built-in legitimate tools to solve various tasks, including data exfiltration.
One such tool is a web browser. Threat actors may use it to upload sensitive data collected by them to various file-sharing services, for example, DropMeFiles.
Web browsers have great logging capabilities, so digital forensic analysts and incident responders can always check the browsing history for any traces of data exfiltration.
Let's look at a classic version of a built-in web browser – Microsoft Edge. History data is stored in a WebCacheV01.dat file that is an Extensible Storage Engine (ESE) database. Of course, there are quite a few tools that can be used to browse and analyze its contents. A good example is ESEDatabaseView from...
