ID: T1176-WIN-001
Last Modified: 27/08/2020 10:00
Author: FalconForce
License: BSD 3-Clause License
References: Link to medium post
Tactic: Persistence
Technique: Browser Extensions (T1176)
An attacker can install its own or infect a highjacked browser extension to gain persistence and control over a system. Depending on the intent of the attacker he can have full control over all communication the browser has, execute new processes, have a stable command and control channel and much more.
User
Whenever an extension is installed or updated several files are created in the extension folder. We utilize the events generated by this activity to enable us to capture the ExtensionID.
The most common ones are autmented with an ExtensionName field, the unknown ones are left empty, you should validate those and ideally monitor them for changes to their capabilities. A great resource for this is CRXcavator
| Event ID | Event Name | Log Provider | ATT&CK Data Source |
|---|---|---|---|
| - | DeviceFileEvents | DATP | File Monitoring |
| |
FP Rate: Low
Source: DATP
Description: First a recerence list is created with known/fairly trusted extensions. Next the new file create events are filtered and the ExtensionID is regexed from the path which is joined with the KnownExtensions reference list
Query:
let KnownExtensions = datatable(ExtensionName:string, ExtensionId:string)
[
//Official Google Extensions, installed by default
"Google Mail","pjkljhegncpnkpknbcohdijeoejaedia",
"Google Drive","apdfllckaahabafndbhieahigkjlhalf",
"Google Docs","aohghmighlieiainnegkcijnfilokake",
"Google Docs Offline","ghbmnnjooekpmoecnnnilnnbdlolhkhi",
"Google Sheets","felcaaldnbdncclmgdcncolpebgiejap",
"Google Slides","aapocclcgogkmnckokdopfmhonfmgoek",
"YouTube","blpcfgokakmgnkcojhhkbfbldkacnbeo",
// Deprecated Google Extensions, transitioned into the browser
"Chrome PDF Viewer","mhjfbmdgcfjbbpaeojofohoefgiehjai",
"Google Wallet","nmmhkkegccagdldgiimedpiccmgmieda",
"Chrome Cast","pkedcjkdefgpdelpbcmbmeomcjbeemfm",
"Google Web Store","nmmhkkegccagdldgiimedpiccmgmieda",
// Some other commonly observed security Extensions
"AdBlock","gighmmpiobklfepjocnamgkkbiglidom",
"AdBlock Plus","cfhdojbkjhnklbpkdaibdccddilifddb",
"uBlock","epcnnfbjfcgphgdmggkamkmgojdagdnn",
"uBlock Origin","cjpalhdlnbpafiamejdnhcphjbkeiagm",
"Ghostery","mlomiejdfkolichcflejclcbmpeaniij",
"Privacy Badger","pkehgijcmpdhfbdbbnkijodmdjhbjlgp",
"Disconnect","jeoacafpbcihiomhlakheieifhpjdfeo",
"HTTPS Everywhere","gcbommkclmclpchllfjekcdonpmejbdp",
// Some other known Extensions
"Adobe Acrobat","efaidnbmnnnibpcajpcglclefindmkaj",
"Foxit PDF Creator","cifnddnffldieaamihfkhkdgnbhfmaci",
"Cisco Webex Extension","jlhmfgmfgeifomenelglieieghnjghma",
"Google Translate","aapbdbdomjkkjkaonfhkkikfgjllcleb"
];
DeviceFileEvents
| where ActionType == "FileCreated" and (InitiatingProcessFileName contains "chrome" or InitiatingProcessFileName contains "edge" or InitiatingProcessFileName contains "brave" or InitiatingProcessFileName contains "vivaldi") and (FolderPath contains "User Data\\Default\\Extensions" or FolderPath endswith ".crx") and FolderPath notcontains "Temp"
| extend ExtensionId = extract("([a-z]{32})", 1, FolderPath)
| summarize count() by ExtensionId, DeviceName
| join kind = leftouter (KnownExtensions | project ExtensionId = tolower(ExtensionId), ExtensionName) on ExtensionId
| project ExtensionName,ExtensionId, DeviceName
| sort by ExtensionName asc- An attacker or malicious insider can side-load extensions, potentially spoofing the ExtensionId of a known/trusted extension. In order to be able to do so the browser needs to be in developer mode.
- An attacker can modify extensions that are already installed, you could have a look at other InitiatingProcessFileName processes that access this folder. You will see explorer and dllhost as very common processes.
Extensions that are trusted by your environment
Non Chromium based browsers are obviously not supported in this query.
- Any reference links that were helpful in your research