KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Chrome Extension With Hidden Tracking

Query

let SecureAnnex=externaldata(extension_id:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SecureAnnexIOCs.csv'];
let MID =
SecureAnnex
| project extension_id;
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified" or ActionType == "FileRenamed"
| where FileName endswith ".crx"
| where FileName has_any(MID)

Explanation

This KQL query is designed to detect certain file activities related to Chrome extensions. Here's a simplified breakdown:

  1. Data Import: It starts by importing a list of extension IDs from an external CSV file hosted on GitHub. This list is referred to as SecureAnnex.

  2. Extract Extension IDs: The query extracts the extension_id column from the imported data and stores it in a variable called MID.

  3. Filter Device File Events: The query then looks at DeviceFileEvents, which records file activities on devices.

  4. Action Type Filtering: It filters these events to only include those where a file was created, modified, or renamed.

  5. File Type Filtering: It further narrows down the events to those involving files with a .crx extension, which is typically used for Chrome extensions.

  6. Extension ID Matching: Finally, it checks if the file names of these .crx files contain any of the extension IDs listed in MID.

In summary, this query identifies activities involving the creation, modification, or renaming of Chrome extension files that match a specific list of extension IDs.

Details

Steven Lim profile picture

Steven Lim

Released: April 18, 2025

Tables

SecureAnnexDeviceFileEvents

Keywords

SecureAnnexIOCsDeviceFileEvents

Operators

letexternaldataprojectwhereorendswithhas_any

Actions