KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt Compromised Browser Extensions

Query

# *Hunt for compromised browser extensions*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1176 | Browser Extensions | https://attack.mitre.org/techniques/T1176/ |

#### Description
This hunting rule can be used to find devices using known compromised browser extensions. It is created based on the threat researched linked in the reference section. 

#### Risk
These browser extensions have been found to steal sensitive user information and sign-in coockies due to a supply-chain compromise attack.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/

## Defender XDR
```KQL
let extensions = datatable (Id:string, VulnVersion:string) [
    "nnpnnpemnckcfdebeekibpiijlicmpom", "2.0.1",
    "kkodiihpgodmdankclfibbiphjkfdenh", "1.16.2",
    "oaikpkmjciadfpddlpjjdapglcihgdle", "1.0.12",
    "dpggmcodlahmljkhlmpgpdcffdaoccni", "1.1.1",
    "acmfnomgphggonodopogfbmkneepfgnh", "4.00",
    "mnhffkhmpnefgklngfmlndmkimimbphc", "4.40",
    "cedgndijpacnfbdggppddacngjfdkaca", "0.0.11",
    "bbdnohkpnbkdkmnkddobeafboooinpla", "1.0.1",
    "egmennebgadmncfjafcemlecimkepcle", "2.2.7",
    "bibjgkidgpfbblifamdlkdlhgihmfohh", "0.1.3",
    "befflofjcniongenjmbkgkoljhgliihe", "2.13.0",
    "pkgciiiancapdlpcbppfkmeaieppikkk", "1.3.7",
    "llimhhconnjiflfimocjggfjdlmlhblm", "1.5.7",
    "oeiomhmbaapihbilkfkhmlajkeegnjhe", "3.18.0",
    "pajkjnmeojmbapicmbpliphjmcekeaac", "24.10.4",
    "ndlbedplllcgconngcnfmkadhokfaaln", "2.22.6",
    "epdjhgbipjpbbhoccdeipghoihibnfja", "1.4",
    "cplhlgabfijoiabgkigdafklbhhdkahj", "1.0.161",
    "jiofmdifioeejeilfkpegipdjiopiekl", "1.1.61",
    "hihblcmlaaademjlakdpicchbjnnnkbo", "3.0.2",
    "llimhhconnjiflfimocjggfjdlmlhblm", "1.5.7",
    "ekpkdmohpdnebfedjjfklhpefgpgaaji", "1.3",
    "epikoohpebngmakjinphfiagogjcnddm", "2.7.3",
    "miglaibdlgminlepgeifekifakochlka", "1.4.5",
    "eanofdhdfbcalhflpbdipkjjkoimeeod", "1.4.9",
    "ogbhbgkiojdollpjbhbamafmedkeockb", "1.8.1",
    "bgejafhieobnfpjlpcjjggoboebonfcg", "1.1.1",
    "igbodamhgjohafcenbcljfegbipdfjpk", "2.3",
    "mbindhfolmpijhodmgkloeeppmkhpmhc", "1.44",
    "hodiladlefdpcbemnbbcpclbmknkiaem", "3.1.3",
    "lbneaaedflankmgmfbmaplggbmjjmbae", "1.3.8",
    "eaijffijbobmnonfhilihbejadplhddo", "2.4",
    "hmiaoahjllhfgebflooeeefeiafpkfde", "1.0.0"
];
DeviceTvmBrowserExtensions
// Find devices using vulnerable extensions
| join kind=inner extensions on $left.ExtensionId == $right.Id
| extend IntVersion = parse_version(ExtensionVersion), IntVulnVursion = parse_version(VulnVersion)
| where IntVersion <= IntVulnVursion and IsActivated == "true"
// Join for more device info
| join kind=inner (
    DeviceInfo 
    | where Timestamp > ago(7d)
) on DeviceId
| distinct DeviceName, DeviceId, BrowserName, ExtensionName, ExtensionDescription, ExtensionVersion, ExtensionRisk, VulnVersion
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to identify devices that are using compromised browser extensions. It works by comparing the extensions installed on devices with a list of known vulnerable extensions. Here's a simplified breakdown of how the query operates:

  1. Data Setup: A list of known compromised browser extensions, along with their vulnerable versions, is defined using a datatable.

  2. Data Matching: The query checks the DeviceTvmBrowserExtensions table to find devices that have these vulnerable extensions installed. It matches extensions by their unique ExtensionId.

  3. Version Comparison: For each matched extension, the query compares the installed version (ExtensionVersion) with the known vulnerable version (VulnVersion). It filters for extensions that are either at or below the vulnerable version and are currently active (IsActivated == "true").

  4. Device Information: The query then joins this data with the DeviceInfo table to gather additional information about the devices, such as device name, ID, and browser details, but only for data from the last 7 days.

  5. Result Compilation: Finally, it compiles a distinct list of devices with details about the browser extensions, including their names, descriptions, versions, and associated risks.

This query helps security teams identify and mitigate risks associated with compromised browser extensions that could potentially steal sensitive information from users.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 31, 2025

Tables

DeviceTvmBrowserExtensionsDeviceInfo

Keywords

DevicesBrowserExtensionsDeviceInfoDeviceNameDeviceIdBrowserNameExtensionNameExtensionDescriptionExtensionVersionExtensionRiskVulnVersion

Operators

letdatatablejoinonextendparse_versionwhereanddistinctago

Actions