KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Endpoint Browser Extensions With Can Turnoff Malware Protections Permissions

Query

# Identify endpoint browser extensions with “Can turnoff malware protections” permissions

## Description

The following query leverages DeviceTvmBrowserExtensions and DeviceTvmBrowserExtensionsKB tables wich are available at the Threat and Vulnerability Management (TVM) add-on license. Results provided include endpoints which have browser extensions installed with “Can turnoff malware protections” permissions.

### Microsoft Defender XDR
```
let BrowserExtMalwareProtectionKB = DeviceTvmBrowserExtensionsKB 
    | where PermissionName contains "Can turn off malware protections"
    | project ExtensionId, ExtensionName, ExtensionRisk, PermissionName;
let BrowserExtMalwareProtection = DeviceTvmBrowserExtensions
    | project ExtensionId, DeviceId;
let DeviceInformation = DeviceInfo
    | project DeviceId, DeviceName;
union BrowserExtMalwareProtection, BrowserExtMalwareProtectionKB,
        DeviceInformation
    | summarize by ExtensionId, DeviceId
    | join ( BrowserExtMalwareProtectionKB ) on ExtensionId
    | join kind=rightouter ( BrowserExtMalwareProtection ) on ExtensionId
    | join ( DeviceInformation ) on DeviceId
    | project ExtensionId,
        ExtensionName,
        ExtensionRisk,
        PermissionName,
        DeviceId,
        DeviceName
    | summarize by DeviceName, ExtensionName, ExtensionRisk
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 29/08/2024    | Initial publish                        |

Explanation

This query identifies endpoints (devices) that have browser extensions installed with permissions that allow them to turn off malware protections. It uses data from the Threat and Vulnerability Management (TVM) add-on in Microsoft Defender XDR.

Here's a simplified breakdown of what the query does:

  1. Filter Extensions with Specific Permissions: It first filters the DeviceTvmBrowserExtensionsKB table to find browser extensions that have the permission "Can turn off malware protections".

  2. Extract Relevant Data: It extracts relevant information such as ExtensionId, ExtensionName, ExtensionRisk, and PermissionName from the filtered extensions.

  3. Get Installed Extensions: It retrieves the ExtensionId and DeviceId from the DeviceTvmBrowserExtensions table to identify which extensions are installed on which devices.

  4. Get Device Information: It extracts DeviceId and DeviceName from the DeviceInfo table to get the names of the devices.

  5. Combine Data: It combines the data from the three tables (DeviceTvmBrowserExtensionsKB, DeviceTvmBrowserExtensions, and DeviceInfo) to match extensions with devices and their respective permissions.

  6. Summarize Results: Finally, it summarizes the results to show the device name, extension name, and extension risk for each device that has an extension with the risky permission.

Summary of Output

The output will list devices along with the names and risk levels of the browser extensions installed on them that have the permission to turn off malware protections.

Versioning

  • Version 1.0: Initial publish on 29/08/2024.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 29, 2024

Tables

DeviceTvmBrowserExtensionsDeviceTvmBrowserExtensionsKBDeviceInfo

Keywords

DevicesBrowserExtensionsThreatVulnerabilityManagement

Operators

let|wherecontainsprojectunionsummarizejoinonkind=rightouter

Actions