Query Details
Git Lab Threat Intelligence Identified 16 Malicious Chrome Extensions
Query
// GitLab Threat Intelligence Identified 16 Malicious Chrome extensions // https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/ let GitLabTI=externaldata(MaliciousChromeID:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/GitLabTI-MaliciousChromeExtID.csv']; let MID = GitLabTI | project MaliciousChromeID; DeviceFileEvents | where ActionType == "FileCreated" or ActionType == "FileModified" or ActionType == "FileRenamed" | where FileName endswith ".crx" | where FileName has_any(MID)
Explanation
This query is designed to identify potentially malicious Chrome extensions on a network by leveraging threat intelligence data from GitLab. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by importing a list of known malicious Chrome extension IDs from an external CSV file hosted on GitHub. This list is provided by GitLab Threat Intelligence.
-
Extract Malicious IDs: The query extracts the
MaliciousChromeIDfrom this list, which represents the unique identifiers of the malicious extensions. -
Monitor Device File Events: It then examines device file events, specifically looking for actions where a file was created, modified, or renamed.
-
Filter for Chrome Extensions: The query focuses on files with the
.crxextension, which is the file type for Chrome extensions. -
Identify Malicious Extensions: Finally, it checks if any of these
.crxfiles have names that match the malicious IDs from the GitLab list.
In essence, the query is used to detect the presence of any of the 16 identified malicious Chrome extensions on devices by checking file events against a known list of malicious extension IDs.
Details
Steven Lim
Released: February 24, 2025
Tables
Keywords
Operators