KQL Search

Query Details

HomeAI ToolsDevice Query

Chrome Extension Stealth Persistence Detection

Query

// Chrome extension stealth persistence detection

// Published article from @Syntax-Err0r at https://github.com/Syntax-Err0r
// https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html

// I’ve just come across an intriguing method to silently install Chrome extensions for persistence, avoiding common IOCs. This technique doesn’t require command line parameters or registry edits, making it stealthier than traditional methods. To help detect this type of persistence, I’ve also crafted a KQL query. Stay ahead of the curve and ensure your defenses are up to date!

let EPNewChromeConfig =
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName has "Secure Preferences" and FolderPath has "Chrome"
| distinct DeviceName;
DeviceFileEvents
| where ActionType == "FileCreated" and FileName endswith ".crx"
| where DeviceName has_any(EPNewChromeConfig)
| summarize arg_max(Timestamp, *) by SHA1
| where isnotempty(SHA1)
| invoke FileProfile(SHA1,10000)
| where GlobalPrevalence <= 100

// The MITRE ATT&CK technique for malicious Chrome extensions is categorized under T1176: Browser Extensions

Explanation

This KQL query is designed to detect stealthy persistence methods used by malicious Chrome extensions. Here's a simplified breakdown of what the query does:

  1. Identify New Chrome Configurations:

    • The query first looks for any files named "Secure Preferences" that are newly created within Chrome directories. This is done to identify devices where new Chrome configurations might have been set up.

  2. Detect Suspicious Chrome Extensions:

    • It then searches for newly created files with the ".crx" extension (which are Chrome extension files) on devices identified in the first step.

  3. Filter and Analyze:

    • The query collects the most recent instance of each unique file (based on SHA1 hash) and checks if the file has a SHA1 hash.
    • It uses the FileProfile function to analyze these files, focusing on those with low global prevalence (i.e., not commonly seen worldwide), which could indicate a suspicious or malicious extension.

  4. Contextual Information:

    • The query is based on a method described by a security researcher to install Chrome extensions stealthily, avoiding typical indicators of compromise (IOCs) like command line parameters or registry edits.
    • It aligns with the MITRE ATT&CK framework under technique T1176, which deals with malicious browser extensions.

Overall, this query helps security teams detect potentially malicious Chrome extensions that might have been installed in a stealthy manner to maintain persistence on a device.

Details

Steven Lim profile picture

Steven Lim

Released: October 13, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsChromeExtensionsPreferencesFolderPathDeviceNameTimestampSHA1GlobalPrevalence

Operators

let|where==hasanddistinctendswithhas_anysummarizearg_maxbyisnotemptyinvoke<=

Actions