Chrome Extensions - Forensics
Chrome Extensions - Forensics
Background and Scope
Adversaries will always find ways to exploit even the smallest and most useful tricks or software that simplify our lives, ultimately spoiling the experience for everyone.
Browser extensions are a popular way for users to customize their browsing experience and add functionality to their browser. However, these extensions can also be exploited by adversaries to gain access to user data or inject malware onto the user's system. It is important for users to be cautious when installing extensions and to only install extensions from reputable sources. Additionally, users should regularly review and remove any extensions that they no longer use or that they do not trust.
In this discussion, we will focus on Google Chrome and explore how to generate a list of installed extensions while also examining any extensions that may be malicious.
The Why of this Blog
A browser does so much that a normal browsing activity for a couple hours lights up the EDR telemetry like a Christmas tree. All the browsing activity was performed to generate test data but Chrome still managed to hit hundreds of MITRE techniques.
<aside> ❓ Where do you even start looking when it comes to investigating a suspicious event?
</aside>
Sample Scenarios
-
Let’s assume your Firewall alerted you about certain URLs which either are confirmed to be malicious or their usage is against your IT policies. You need to round upon the offending
- Host - pretty easy
- User - pretty easy as well
- Process - if it’s a suspicious file such as
C:\\Windows\\Temp\\svchost.exe
- pretty easy, case solved!- If it’s a Browser, the investigation is just getting started.
- Is this a result of a URL visit? Process Injection? Was it an extension? If you are a veteran analyst, you’ll know how unhelpful sometimes EDR data is when it comes to browser processes.
-
During a compromise assessment, it was identified that the victim user confirmed that all they were doing was general day-to-day browsing when they were prompted to install some sort of extension and so they did.
Where are Extensions Stored?
<aside> ⚠️ We have received several alerts from our Web Proxy wherein the machine is suspected to bein contact with various URLs/Domains which are against the IT policy. The machine could be compromised and warrants a further investigation. It’s a broad scenario, but we’ll stick to the scope of our article and work our way backwards!
</aside>
There is an abundance of blogs available on the subject of browser forensics. I’ll give you a quick TL:DR
The Chrome default profile folder contains the majority of artifacts of interest.
<aside> 📂 C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default
</aside>
Whenever a new extension installation takes place, the .CRX file gets downloaded temporarily to the below location
C:\\Users\\<Name>\\AppData\\Local\\Temp\\chrome_url_fetcher_<RandomNumeric>\\extension_<Version>.crx
C:\\Users\\<Name>\\AppData\\Local\\Temp\\scoped_<RandomNumeric>\\<AppID>_<Numeric>.crx
//Live Examples
C:\\Users\\<Name>\\AppData\\Local\\Temp\\chrome_url_fetcher_8664_1564753985\\extension_1_61_4_0.crx
C:\\Users\\<Name>\\AppData\\Local\\Temp\\scoped_dir8092_1584478839\\mjnbclmflcpookeapghfhapeffmpodij_328.crx
After the extension is unpacked in the above folders, the extension finds its permanent home in the below directory:
<aside> 📂 C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\Extensions
</aside>
Each of these folders corresponds to a distinct extension that has been installed in Chrome.
If you visit chrome://extensions/
in your Browser, you can co-relate the ID to it’s actual name
Or you could simply search for the ID. Google Chrome prioritizes the search result due to obvious reasons.
How to Parse a List of Installed Extensions?
To parse the list of extensions in a user friendly report, we’ll use a tool called Hindsight!
“Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications (with more to come!). Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.”
GitHub: https://github.com/obsidianforensics/hindsight
The instructions are pretty self explanatory. Triage artifact collection is out of this article’s scope so we’re just going to point it towards a live system.
I personally prefer CSV/XLSX to be the preferred way to investigate one-off cases, so let’s export a copy and get diggin’
- Navigate to the Installed Extensions sheet.
- Review the list of extensions installed within the browser across all profiles. Unfortunately for us, the export does not have a Timestamp field. At the moment of writing, I am not sure if Chrome logs the Timestamp when the extension was installed.
The When? EDR File Modification Event vs $MFT
When it comes to Browser Forensics,
But you can still start your investigation from the EDR side by looking for any new .CRX
files being created on the disk. You can then crosscheck with Hindsight’s output. It’s all about what’s easily accessible to you. Sometimes it’s just easier or quicker to leverage EDR but there might be times a user might just walk up to you with their laptop in hand.
Assuming you kicked-off your investigation based on Hindsight’s output, after locating a suspicious Browser Extension’s AppID, you could run a query in your EDR to find out when was the folder written to disk.
SentinelOne
FilePath Contains Anycase "\\Google\\Chrome\\User Data\\Default\\Extensions\\mjnbclmflcpookeapghfhapeffmpodij"
//Or you could run a blanket query with the just the AppID
FilePath Contains Anycase "mjnbclmflcpookeapghfhapeffmpodij"
Defender for Endpoint
DeviceFileEvents
| where DeviceName contains "DeviceName"
//| where FolderPath contains '.crx'
//| where (FolderPath contains "AppData\\\\Local\\\\Temp" or
// You can look for recent Folder writes for any indication of new extension being installed:
| where (FolderPath contains "AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Extensions" and FolderPath !contains "scoped") or FolderPath contains ".crx"
//| where FolderPath !~ "AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Extensions\\\\Temp\\\\scoped"
Lastly, if you are a man of culture, you can parse the $MFT
to corelate with the time of the suspicious activity.
Further Investigation
Extension - Already Installed
If the extension does not yield any results while performing OSINT, you can investigate the manifest.json
or associated JavaScript .js
files present in the extension’s directory for hints or the extension’s behavior:
C:\\Users\\<Username>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\<Extension>\\<Version>\\manifest.json
//Sample Files
C:\\Users\\Vikas\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\mjnbclmflcpookeapghfhapeffmpodij\\1.8.0_0\\manifest.json
C:\\Users\\Vikas\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\mjnbclmflcpookeapghfhapeffmpodij\\1.8.0_0\\app.js
C:\\Users\\Vikas\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\mjnbclmflcpookeapghfhapeffmpodij\\1.8.0_0\\injected_content.js
One of the JavaScript files associated with Ultrasurf:
Extension - The CRX Installer
If you are able to locate the suspicious CRX file, you could either upload it to an online utility such as https://robwu.nl/crxviewer/
If the CRX is not present on VT and you’re not comfortable uploading the file to an online resource, the contents of the file can be opened using 7Zip!
Comentários
Postar um comentário