Query Details

Hunting Chrome Extension With Hidden Tracking

Query

// KQL 1 - First Version
let SecureAnnex=externaldata(extension_id:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SecureAnnexIOCs.csv'];
let MID =
SecureAnnex
| project extension_id;
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified" or ActionType == "FileRenamed"
| where FileName endswith ".crx"
| where FileName has_any(MID)

// KQL 2 - Optimized Version

let SecureAnnex=externaldata(extension_id:string, extension_name:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SecureAnnexIOCs.csv']
with (format='csv', ignoreFirstRecord=true);
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where FileName endswith ".crx"
| extend ExtensionIDVersion = tostring(split(FileName, '.')[0])
| extend ExtensionID = tolower(split(ExtensionIDVersion, '_')[0])
| summarize arg_max(TimeGenerated, *) by DeviceName, ExtensionID
| join SecureAnnex on $left.ExtensionID == $right.extension_id

Explanation

This query is designed to detect specific file events related to Chrome extensions on devices, using a list of known extension identifiers (IOCs) from an external CSV file. Here's a breakdown of what each version of the query does:

KQL 1 - First Version

  1. Load External Data: The query imports a CSV file from a GitHub repository containing a list of extension IDs (extension_id).

  2. Filter Device File Events: It filters events from DeviceFileEvents where the action type is either "FileCreated", "FileModified", or "FileRenamed".

  3. File Extension Check: It further narrows down the events to those involving files with the .crx extension, which is typically used for Chrome extensions.

  4. Match with External Data: It checks if the file name contains any of the extension IDs from the imported list.

KQL 2 - Optimized Version

  1. Load External Data with Additional Details: Similar to the first version, but it also imports an extension_name and specifies the CSV format, ignoring the first record (header).

  2. Filter Device File Events: It filters events where the action type is either "FileCreated" or "FileModified" (excluding "FileRenamed").

  3. Extract Extension ID: It extracts the extension ID from the file name by splitting the name at the period and underscore, converting it to lowercase for consistency.

  4. Summarize Events: It summarizes the events to get the most recent (arg_max) event for each device and extension ID, based on the TimeGenerated field.

  5. Join with External Data: Finally, it joins the summarized events with the external data on the extension ID to identify events involving known extensions.

In summary, both versions aim to detect file events related to Chrome extensions by matching them against a list of known extension IDs, but the second version is more optimized and includes additional processing steps to ensure accurate matching and summarization of events.

Details

Steven Lim profile picture

Steven Lim

Released: April 18, 2025

Tables

DeviceFileEvents

Keywords

SecureAnnexDeviceFileEventsFileNameExtensionIDVersionExtensionIDDeviceNameTimeGenerated

Operators

letexternaldataprojectwhereorendswithhas_anywithformatignoreFirstRecordextendtostringsplittolowersummarizearg_maxbyjoinon

Actions

GitHub