Skip to main content

Overview

The ChromiumHistory command parses browsing history files from Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, and Opera. This command extracts visited URLs, page titles, visit counts, and timestamps, providing insight into user browsing behavior and system activity.

Syntax

Seatbelt.exe ChromiumHistory
This command does not accept arguments.

Output

The command returns:
  • Browser type (Chrome, Edge, Brave, Opera)
  • User profile path
  • Visited URLs
  • Page titles
  • Visit count for each URL
  • Last visit timestamp
  • Typed count (number of times URL was manually typed)

Use Cases

Red Team

  • Identify administrative interfaces and management consoles
  • Discover internal web applications and services
  • Map network infrastructure through visited URLs
  • Identify potential targets for credential harvesting
  • Determine user roles and access patterns
  • Find development/staging environments
  • Locate cloud service consoles

Blue Team

  • Investigate suspicious user activity
  • Audit compliance with acceptable use policies
  • Identify potential data exfiltration destinations
  • Correlate browsing patterns with security incidents
  • Detect access to malicious or compromised websites
  • Identify insider threat indicators
  • Verify legitimate business purpose for web access

Example Output

====== ChromiumHistory ======

  Browser   : Chrome
  Profile   : C:\Users\john\AppData\Local\Google\Chrome\User Data\Default

  URL       : https://admin.corp.internal
  Title     : Admin Dashboard
  Visits    : 47
  Last Visit: 10/19/2023 3:42:18 PM
  Typed     : 5

  URL       : https://github.com/company/secretproject
  Title     : secretproject - GitHub
  Visits    : 23
  Last Visit: 10/19/2023 2:15:32 PM
  Typed     : 0

  Browser   : Edge
  Profile   : C:\Users\john\AppData\Local\Microsoft\Edge\User Data\Default

  URL       : https://portal.azure.com
  Title     : Microsoft Azure Portal
  Visits    : 134
  Last Visit: 10/19/2023 4:02:47 PM
  Typed     : 12

Performance Considerations

This command has minimal to moderate performance impact depending on the size of browser history databases. Large history files may take longer to parse. The command reads SQLite database files from disk without executing queries against live browser instances.

Remote Execution

This command supports remote execution via WMI. Use the -computername parameter to enumerate browser history on remote systems: 
Seatbelt.exe ChromiumHistory -computername=TARGET.domain.com

Detection Considerations

Indicators

  • File access to browser history SQLite databases
  • Read operations on user profile directories
  • Access to %LOCALAPPDATA%\Google\Chrome\User Data\*\History
  • Access to %LOCALAPPDATA%\Microsoft\Edge\User Data\*\History
  • Access to %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\*\History
  • SQLite database file locks and reads

Defensive Recommendations

  • Monitor for unauthorized access to user profile directories
  • Log file access to sensitive browser data locations
  • Alert on access to browser history databases by non-browser processes
  • Implement least privilege to restrict profile directory access
  • Use AppLocker or similar to control execution of enumeration tools
  • Consider File Integrity Monitoring (FIM) for browser data directories
  • ChromiumBookmarks - Parses Chromium browser bookmark files
  • ChromiumPresence - Checks if interesting Chromium browser files exist
  • FirefoxHistory - Parses Firefox browser history
  • IEUrls - Retrieves Internet Explorer typed URLs
  • IETabs - Enumerates open Internet Explorer tabs