Find sigma rule 
Attack: Browser Bookmark Discovery
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).(Citation: Chrome Roaming Profiles)
MITRE
Tactic
- discovery
technique
- T1217
Test : List Internet Explorer Bookmarks using the command prompt
OS
- windows
Description:
This test will list the bookmarks for Internet Explorer that are found in the Favorites folder
Executor
command_prompt
Sigma Rule
- proc_creation_win_cmd_dir_execution.yml (id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006)