This note documents detection patterns related to Internet Activity within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 3 | Network connection | Critical | Direct outbound internet communication. |
| Sysmon | 22 | DNS query | Critical | Domain resolution before web activity. |
| Security | 5156 | Allowed connection | High | Windows Filtering Platform outbound traffic. |
| Security | 4688 | Browser process launch | High | Browser or LOLBIN internet access initiation. |
| PowerShell | 4104 | Download cradle / web retrieval | Critical | Script-based internet retrieval. |
| Bits-Client | 59 / 60 | BITS transfer | High | Background download activity. |
| NetworkProfile | 10000 | Network connected | High | Internet-capable network entered. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Browser launched then DNS | User browsing or staged retrieval | Critical | Common internet chain. |
| DNS without browser | Background app / malware / beacon | Critical | Often hidden activity. |
| Short browser session + download | Payload retrieval | Critical | High attacker relevance. |
| Private browsing artifacts missing | Intentional concealment | High | Correlate with cache remnants. |
| Search terms before compromise | User intent | High | Often explains later artifacts. |
| Repeated failed domains | Beacon fallback / typo / dead C2 | High | Useful malware clue. |
Common Tools
| Tool | Usage |
|---|---|
| sqlite3 | Parse browser databases |
| BrowsingHistoryView | Quick browser triage |
| Hindsight | Chrome forensic parsing |
| Registry Explorer | Typed URLs / browser config |
| EvtxECmd | Network logs |
| KAPE | Browser artifact collection |
Relevant Artifacts
Chrome / Edge History
C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\HistoryC:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\Default\History
Downloads
- SQLite table:
downloads
Cookies
- SQLite table:
cookies
Cache
- Browser cache folders
Typed URLs (Legacy / IE)
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
WebCache (Legacy)
WebCacheV01.dat
DNS
- DNS Client logs
- Sysmon Event 22
Network Support
- DHCP
- NetworkProfile
- WLAN
Registry Interpretation
| Registry Area | Usage | Forensic Value | Notes |
|---|---|---|---|
| TypedURLs | Manual typed destinations | Critical | Strong user intent evidence |
| TypedURLsTime | Timing | High | When manually entered |
| Internet Settings | Proxy / zone config | High | Proxy abuse / tampering |
| Start Page | Browser landing behavior | Medium | User profile context |
MITRE ATT&CK References
- T1071 Application Layer Protocol
- T1105 Ingress Tool Transfer
- T1566 Phishing
- T1041 Exfiltration Over C2 Channel
Decision Tree
-
Which browser?
- Chrome
- Edge
- Firefox
- IE
-
User intent?
- Search
- Typed URL
- Direct download
-
Network corroboration?
- DNS
- Sysmon 3
- DHCP active
-
File impact?
- Download
- Cache
- Child process
-
Scope:
- User browsing
- Malware retrieval
- Beacon traffic
Example Detection Templates
KQL
DeviceNetworkEvents
| where InitiatingProcessFileName in ("chrome.exe","msedge.exe","firefox.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
EQL
sequence by host.name with maxspan=5m
[ process where process.name in ("chrome.exe","msedge.exe") ]
[ network where process.name in ("chrome.exe","msedge.exe") ]
Sigma
title: Browser Internet Activity
id: browser-internet-01
status: experimental
description: Detects browser outbound activity
author: Vergil
date: 2026-03-11
logsource:
product: windows
detection:
selection:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
condition: selection
fields:
- Image
- CommandLine
falsepositives:
- Normal browsing
level: low
tags:
- attack.command-and-control
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Browser logging | Retain browser artifacts | Critical | Primary user internet evidence |
| DNS logging | Enable DNS visibility | Critical | Strongest supporting layer |
| Proxy monitoring | Detect hidden redirection | High | Malware often abuses proxies |
| Download control | Alert suspicious downloads | Critical | Payload pr |
Investigator Notes
-
Browser DB must be queried with SQLite, not opened raw.
-
TypedURLs often prove deliberate user action.
-
Downloads table frequently survives when cache is partial.
-
DNS often proves activity even when browser history is cleaned.
-
Browser history alone is weak without network correlation.