Background and Scope

Adversaries will always find ways to exploit even the smallest and most useful tricks or software that simplify our lives, ultimately spoiling the experience for everyone.

Browser extensions are a popular way for users to customize their browsing experience and add functionality to their browser. However, these extensions can also be exploited by adversaries to gain access to user data or inject malware onto the user's system. It is important for users to be cautious when installing extensions and to only install extensions from reputable sources. Additionally, users should regularly review and remove any extensions that they no longer use or that they do not trust.

In this discussion, we will focus on Google Chrome and explore how to generate a list of installed extensions while also examining any extensions that may be malicious.

The Why of this Blog

A browser does so much that a normal browsing activity for a couple hours lights up the EDR telemetry like a Christmas tree. All the browsing activity was performed to generate test data but Chrome still managed to hit hundreds of MITRE techniques.

<aside> ❓ Where do you even start looking when it comes to investigating a suspicious event?

</aside>

Untitled

Sample Scenarios

  1. Let’s assume your Firewall alerted you about certain URLs which either are confirmed to be malicious or their usage is against your IT policies. You need to round upon the offending

    1. Host - pretty easy
    2. User - pretty easy as well
    3. Process - if it’s a suspicious file such as C:\\Windows\\Temp\\svchost.exe - pretty easy, case solved!
      1. If it’s a Browser, the investigation is just getting started.
      2. Is this a result of a URL visit? Process Injection? Was it an extension? If you are a veteran analyst, you’ll know how unhelpful sometimes EDR data is when it comes to browser processes.

  2. During a compromise assessment, it was identified that the victim user confirmed that all they were doing was general day-to-day browsing when they were prompted to install some sort of extension and so they did.

Where are Extensions Stored?

<aside> ⚠️ We have received several alerts from our Web Proxy wherein the machine is suspected to bein contact with various URLs/Domains which are against the IT policy. The machine could be compromised and warrants a further investigation. It’s a broad scenario, but we’ll stick to the scope of our article and work our way backwards!

</aside>

There is an abundance of blogs available on the subject of browser forensics. I’ll give you a quick TL:DR

The Chrome default profile folder contains the majority of artifacts of interest.

<aside> 📂 C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default

</aside>

Whenever a new extension installation takes place, the .CRX file gets downloaded temporarily to the below location

C:\\Users\\<Name>\\AppData\\Local\\Temp\\chrome_url_fetcher_<RandomNumeric>\\extension_<Version>.crx
C:\\Users\\<Name>\\AppData\\Local\\Temp\\scoped_<RandomNumeric>\\<AppID>_<Numeric>.crx

//Live Examples
C:\\Users\\<Name>\\AppData\\Local\\Temp\\chrome_url_fetcher_8664_1564753985\\extension_1_61_4_0.crx
C:\\Users\\<Name>\\AppData\\Local\\Temp\\scoped_dir8092_1584478839\\mjnbclmflcpookeapghfhapeffmpodij_328.crx

After the extension is unpacked in the above folders, the extension finds its permanent home in the below directory: