KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Malicious Chrome Extension

Query

// Hunting Malicious Chrome Extension

// A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.
// https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html

let MaliciousChromeExtensionID = dynamic(["bibjgkidgpfbblifamdlkdlhgihmfohh","pkgciiiancapdlpcbppfkmeaieppikkk",
"epdjhgbipjpbbhoccdeipghoihibnfja","bbdnohkpnbkdkmnkddobeafboooinpla","befflofjcniongenjmbkgkoljhgliihe",
"cedgndijpacnfbdggppddacngjfdkaca","nnpnnpemnckcfdebeekibpiijlicmpom","dpggmcodlahmljkhlmpgpdcffdaoccni",
"cplhlgabfijoiabgkigdafklbhhdkahj","egmennebgadmncfjafcemlecimkepcle","acmfnomgphggonodopogfbmkneepfgnh",
"mnhffkhmpnefgklngfmlndmkimimbphc","oaikpkmjciadfpddlpjjdapglcihgdle","fbmlcbhdmilaggedifpihjgkkmdgeljh",
"kkodiihpgodmdankclfibbiphjkfdenh","oeiomhmbaapihbilkfkhmlajkeegnjhe"]);
DeviceFileEvents
| where ActionType == "FileCreated" and FileName endswith ".crx"
| where FileName has_any(MaliciousChromeExtensionID)

Explanation

This query is designed to help identify potentially malicious Chrome browser extensions that have been installed on devices. Here's a simple breakdown of what it does:

  1. Define Malicious Extensions: It starts by listing the IDs of known malicious Chrome extensions that have been compromised in a recent attack campaign. These extensions have been identified as exposing users to data breaches and credential theft.

  2. Filter File Creation Events: The query looks at device file events, specifically focusing on files that have been created. It filters for files with the ".crx" extension, which is the file type for Chrome extensions.

  3. Match Against Malicious IDs: It then checks if any of these newly created ".crx" files match the IDs of the known malicious extensions.

In summary, this query helps security analysts detect if any of the compromised Chrome extensions have been installed on devices within their network, allowing them to take appropriate action to protect users.

Details

Steven Lim profile picture

Steven Lim

Released: December 30, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letdynamicwhereandendswithhas_any

Actions