Hunting Chrome Extension With Hidden Tracking
Query
// KQL 1 - First Version
let SecureAnnex=externaldata(extension_id:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SecureAnnexIOCs.csv'];
let MID =
SecureAnnex
| project extension_id;
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified" or ActionType == "FileRenamed"
| where FileName endswith ".crx"
| where FileName has_any(MID)
// KQL 2 - Optimized Version
let SecureAnnex=externaldata(extension_id:string, extension_name:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SecureAnnexIOCs.csv']
with (format='csv', ignoreFirstRecord=true);
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where FileName endswith ".crx"
| extend ExtensionIDVersion = tostring(split(FileName, '.')[0])
| extend ExtensionID = tolower(split(ExtensionIDVersion, '_')[0])
| summarize arg_max(TimeGenerated, *) by DeviceName, ExtensionID
| join SecureAnnex on $left.ExtensionID == $right.extension_idExplanation
This query is designed to detect specific file events related to Chrome extensions on devices, using a list of known extension identifiers (IOCs) from an external CSV file. Here's a breakdown of what each version of the query does:
KQL 1 - First Version
-
Load External Data: The query imports a CSV file from a GitHub repository containing a list of extension IDs (
extension_id). -
Filter Device File Events: It filters events from
DeviceFileEventswhere the action type is either "FileCreated", "FileModified", or "FileRenamed". -
File Extension Check: It further narrows down the events to those involving files with the
.crxextension, which is typically used for Chrome extensions. -
Match with External Data: It checks if the file name contains any of the extension IDs from the imported list.
KQL 2 - Optimized Version
-
Load External Data with Additional Details: Similar to the first version, but it also imports an
extension_nameand specifies the CSV format, ignoring the first record (header). -
Filter Device File Events: It filters events where the action type is either "FileCreated" or "FileModified" (excluding "FileRenamed").
-
Extract Extension ID: It extracts the extension ID from the file name by splitting the name at the period and underscore, converting it to lowercase for consistency.
-
Summarize Events: It summarizes the events to get the most recent (
arg_max) event for each device and extension ID, based on theTimeGeneratedfield. -
Join with External Data: Finally, it joins the summarized events with the external data on the extension ID to identify events involving known extensions.
In summary, both versions aim to detect file events related to Chrome extensions by matching them against a list of known extension IDs, but the second version is more optimized and includes additional processing steps to ensure accurate matching and summarization of events.
Details

Steven Lim
Released: April 18, 2025
Tables
Keywords
Operators