PrismaAccessBrowser
Browsersv1.1
Author: Cassie Doemel and Andrew Rathbun, Yogesh Khatri
description
Prisma Access Browser
paths
43 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: PrismaAccessBrowser
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Prisma Access Browser bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_XP_$UserName"
# Prisma Access Browser Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_XP_$UserName"
# Prisma Access Browser Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_XP_$UserName"
# Prisma Access Browser Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_XP_$UserName"
# Prisma Access Browser Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_XP_$UserName"
# Prisma Access Browser History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_XP_$UserName"
# Prisma Access Browser Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_XP_$UserName"
# Prisma Access Browser Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_XP_$UserName"
# Prisma Access Browser Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_XP_$UserName"
# Prisma Access Browser Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_XP_$UserName"
# Prisma Access Browser Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_XP_$UserName"
# Prisma Access Browser Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_XP_$UserName"
# Prisma Access Browser Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_XP_$UserName"
# Prisma Access Browser Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_XP_$UserName"
# Prisma Access Browser bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_$UserName"
# Prisma Access Browser Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_$UserName"
# Prisma Access Browser Current Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_$UserName"
# Prisma Access Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_$UserName"
# Prisma Access Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Prisma_Access_Browser_Download_Metadata_$UserName"
# Prisma Access Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Prisma_Access_Browser_Extension_Cookies_$UserName"
# Prisma Access Browser Favicons
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_$UserName"
# Prisma Access Browser History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_$UserName"
# Prisma Access Browser Last Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_$UserName"
# Prisma Access Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_$UserName"
# Prisma Access Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Sessions_Folder_$UserName"
# Prisma Access Browser Login Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_$UserName"
# Prisma Access Browser Media History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Prisma_Access_Browser_Media_History_$UserName"
# Prisma Access Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Prisma_Access_Browser_Network_Action_Predictor_$UserName"
# Prisma Access Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Prisma_Access_Browser_Network_Persistent_State_$UserName"
# Prisma Access Browser Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_$UserName"
# Prisma Access Browser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Prisma_Access_Browser_Secure_Preferences_$UserName"
# Prisma Access Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Prisma_Access_Browser_Quota_Manager_$UserName"
# Prisma Access Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Prisma_Access_Browser_Reporting_and_NEL_$UserName"
# Prisma Access Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_$UserName"
# Prisma Access Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_$UserName"
# Prisma Access Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Prisma_Access_Browser_Trust_Tokens_$UserName"
# Prisma Access Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Prisma_Access_Browser_SyncData_Database_$UserName"
# Prisma Access Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_$UserName"
# Prisma Access Browser Web Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Prisma Access Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Snapshots_Folder_$UserName"
# Prisma Access Browser User Data Backup Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data Backup"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_User_Data_Backup_Folder_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
references
notes
The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_ChromiumBrowser_HistoryVisits.smap
For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data