Query Details
Identify Browser Extensions With Can Turnoff Malware Protections Permissions In Endpoints With No Tamper Protection
Query
# Identify browser extensions with “Can turnoff malware protections” permissions in endpoints with no tamper protection
## Description
The following query leverages DeviceTvmBrowserExtensionsKB and DeviceTvmBrowserExtensions tables which are available at the Microsoft Defender Vulnerability Management (MDVM) add-on license. Results provided include browser extensions with “Can turnoff malware protections” permissions in endpoints with no tamper protection.
### Microsoft Defender XDR
```
let BrowserExtMalwareProtectionKB = DeviceTvmBrowserExtensionsKB
| where PermissionName contains "Can turn off malware protections"
| project ExtensionId, ExtensionName, ExtensionRisk, PermissionName;
let BrowserExtMalwareProtection = DeviceTvmBrowserExtensions
| project ExtensionId, DeviceId;
let DeviceWoTamperProtection = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId has "scid-2003"
| where IsCompliant == "0"
| where IsApplicable == "1"
| project DeviceId, DeviceName, OSPlatform, Timestamp;
union BrowserExtMalwareProtection, BrowserExtMalwareProtectionKB,
DeviceWoTamperProtection
| summarize by ExtensionId, DeviceId
| join ( BrowserExtMalwareProtectionKB ) on ExtensionId
| join kind=rightouter ( BrowserExtMalwareProtection ) on ExtensionId
| join ( DeviceWoTamperProtection ) on DeviceId
| summarize DeviceCount=dcount(DeviceName), arg_max(Timestamp, *) by ExtensionName, ExtensionRisk
| sort by DeviceCount asc, ExtensionRisk
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 20/10/2024 | Initial publish |
Explanation
This query is designed to identify browser extensions that have permissions to disable malware protections on devices that do not have tamper protection enabled. Here's a simplified breakdown of how the query works:
-
Identify Extensions with Risky Permissions:
- The query first looks into a knowledge base (
DeviceTvmBrowserExtensionsKB) to find browser extensions that have permissions labeled as "Can turn off malware protections". It extracts details like the extension's ID, name, risk level, and the specific permission.
- The query first looks into a knowledge base (
-
Collect Extension and Device Information:
- It gathers data from another table (
DeviceTvmBrowserExtensions) to get the IDs of these extensions and the devices they are installed on.
- It gathers data from another table (
-
Find Devices Without Tamper Protection:
- The query checks a configuration assessment table (
DeviceTvmSecureConfigurationAssessment) to identify devices that do not have tamper protection enabled. It filters out devices that are non-compliant and applicable for this check, collecting their IDs, names, operating systems, and timestamps.
- The query checks a configuration assessment table (
-
Combine and Analyze Data:
- The query combines the information from the above steps to match extensions with devices lacking tamper protection.
- It summarizes the data to count how many devices each extension is found on, and it highlights the most recent timestamp for each extension's presence on a device.
- Finally, it sorts the results by the number of devices (ascending) and the risk level of the extension.
The end result is a list of browser extensions that can disable malware protections, specifically on devices that are more vulnerable due to the lack of tamper protection. This helps in identifying potential security risks in the network.
Details
Michalis Michalos
Released: October 20, 2024
Tables
DeviceTvmBrowserExtensionsKBDeviceTvmBrowserExtensionsDeviceTvmSecureConfigurationAssessment
Keywords
Devices
Operators
letwherecontainsprojecthasunionsummarizebyjoinonkindrightouterdcountarg_maxsortasc