KQL Search

This KQL (Kusto Query Language) query is designed to detect the installation of new Chromium browser extensions on Microsoft Defender for Endpoint (MDE) devices. Specifically, it aims to identify when a new extension file (with a ".crx" extension) is created in the "Webstore Downloads" folder. This is relevant for detecting malicious activities, such as the deployment of a fake Google Translate extension by the threat group Emerald Sleet (APT43), which targets users in the U.S., Europe, and South Korea to steal email, password, and cookie data.

Here's a simplified breakdown of the query:

1. Source Table: The query looks at the DeviceFileEvents table, which logs file-related activities on devices.
2. Filter by Action: It filters the events to only include those where a file was created (ActionType == "FileCreated").
3. Filter by Folder and File Type: It further narrows down the results to files created in the "Webstore Downloads" folder and with a ".crx" extension (which are Chromium extension files).
4. Extract Extension ID: It extracts the extension ID from the file path for further analysis.

In summary, this query helps in identifying new Chromium browser extensions being installed, which could potentially be malicious, by monitoring specific file creation events on MDE endpoints.