sigmahighHunting

Running Chrome VPN Extensions via the Registry 2 VPN Extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension

MITRE ATT&CK

initial-accesspersistence

Detection Query

chrome_ext:
  TargetObject|contains: Software\Wow6432Node\Google\Chrome\Extensions
  TargetObject|endswith: update_url
chrome_vpn:
  TargetObject|contains:
    - fdcgdnkidjaadafnichfpabhfomcebme
    - fcfhplploccackoneaefokcmbjfbkenj
    - bihmplhobchoageeokmgbdihknkjbknd
    - gkojfkhlekighikafcpjkiklfbnlmeio
    - jajilbjjinjmgcibalaakngmkilboobh
    - gjknjjomckknofjidppipffbpoekiipm
    - nabbmpekekjknlbkgpodfndbodhijjem
    - kpiecbcckbofpmkkkdibbllpinceiihk
    - nlbejmccbhkncgokjcmghpfloaajcffj
    - omghfjlpggmjjaagoclmmobgdodcjboh
    - bibjcjfmgapbfoljiojpipaooddpkpai
    - mpcaainmfjjigeicjnlkdfajbioopjko
    - jljopmgdobloagejpohpldgkiellmfnc
    - lochiccbgeohimldjooaakjllnafhaid
    - nhnfcgpcbfclhfafjlooihdfghaeinfc
    - ookhnhpkphagefgdiemllfajmkdkcaim
    - namfblliamklmeodpcelkokjbffgmeoo
    - nbcojefnccbanplpoffopkoepjmhgdgh
    - majdfhpaihoncoakbjgbdhglocklcgno
    - lnfdmdhmfbimhhpaeocncdlhiodoblbd
    - eppiocemhmnlbhjplcgkofciiegomcon
    - cocfojppfigjeefejbpfmedgjbpchcng
    - foiopecknacmiihiocgdjgbjokkpkohc
    - hhdobjgopfphlmjbmnpglhfcgppchgje
    - jgbaghohigdbgbolncodkdlpenhcmcge
    - inligpkjkhbpifecbdjhmdpcfhnlelja
    - higioemojdadgdbhbbbkfbebbdlfjbip
    - hipncndjamdcmphkgngojegjblibadbe
    - iolonopooapdagdemdoaihahlfkncfgg
    - nhfjkakglbnnpkpldhjmpmmfefifedcj
    - jpgljfpmoofbmlieejglhonfofmahini
    - fgddmllnllkalaagkghckoinaemmogpe
    - ejkaocphofnobjdedneohbbiilggdlbi
    - keodbianoliadkoelloecbhllnpiocoi
    - hoapmlpnmpaehilehggglehfdlnoegck
    - poeojclicodamonabcabmapamjkkmnnk
    - dfkdflfgjdajbhocmfjolpjbebdkcjog
    - kcdahmgmaagjhocpipbodaokikjkampi
    - klnkiajpmpkkkgpgbogmcgfjhdoljacg
    - lneaocagcijjdpkcabeanfpdbmapcjjg
    - pgfpignfckbloagkfnamnolkeaecfgfh
    - jplnlifepflhkbkgonidnobkakhmpnmh
    - jliodmnojccaloajphkingdnpljdhdok
    - hnmpcagpplmpfojmgmnngilcnanddlhb
    - ffbkglfijbcbgblgflchnbphjdllaogb
    - kcndmbbelllkmioekdagahekgimemejo
    - jdgilggpfmjpbodmhndmhojklgfdlhob
    - bihhflimonbpcfagfadcnbbdngpopnjb
    - ppajinakbfocjfnijggfndbdmjggcmde
    - oofgbpoabipfcfjapgnbbjjaenockbdp
    - bhnhkdgoefpmekcgnccpnhjfdgicfebm
    - knmmpciebaoojcpjjoeonlcjacjopcpf
    - dhadilbmmjiooceioladdphemaliiobo
    - jedieiamjmoflcknjdjhpieklepfglin
    - mhngpdlhojliikfknhfaglpnddniijfh
    - omdakjcmkglenbhjadbccaookpfjihpa
    - npgimkapccfidfkfoklhpkgmhgfejhbj
    - akeehkgglkmpapdnanoochpfmeghfdln
    - gbmdmipapolaohpinhblmcnpmmlgfgje
    - aigmfoeogfnljhnofglledbhhfegannp
    - cgojmfochfikphincbhokimmmjenhhgk
    - ficajfeojakddincjafebjmfiefcmanc
    - ifnaibldjfdmaipaddffmgcmekjhiloa
    - jbnmpdkcfkochpanomnkhnafobppmccn
    - apcfdffemoinopelidncddjbhkiblecc
    - mjolnodfokkkaichkcjipfgblbfgojpa
    - oifjbnnafapeiknapihcmpeodaeblbkn
    - plpmggfglncceinmilojdkiijhmajkjh
    - mjnbclmflcpookeapghfhapeffmpodij
    - bblcccknbdbplgmdjnnikffefhdlobhp
    - aojlhgbkmkahabcmcpifbolnoichfeep
    - lcmammnjlbmlbcaniggmlejfjpjagiia
    - knajdeaocbpmfghhmijicidfcmdgbdpm
    - bdlcnpceagnkjnjlbbbcepohejbheilk
    - edknjdjielmpdlnllkdmaghlbpnmjmgb
    - eidnihaadmmancegllknfbliaijfmkgo
    - ckiahbcmlmkpfiijecbpflfahoimklke
    - macdlemfnignjhclfcfichcdhiomgjjb
    - chioafkonnhbpajpengbalkececleldf
    - amnoibeflfphhplmckdbiajkjaoomgnj
    - llbhddikeonkpbhpncnhialfbpnilcnc
    - pcienlhnoficegnepejpfiklggkioccm
    - iocnglnmfkgfedpcemdflhkchokkfeii
    - igahhbkcppaollcjeaaoapkijbnphfhb
    - njpmifchgidinihmijhcfpbdmglecdlb
    - ggackgngljinccllcmbgnpgpllcjepgc
    - kchocjcihdgkoplngjemhpplmmloanja
    - bnijmipndnicefcdbhgcjoognndbgkep
    - lklekjodgannjcccdlbicoamibgbdnmi
    - dbdbnchagbkhknegmhgikkleoogjcfge
    - egblhcjfjmbjajhjhpmnlekffgaemgfh
    - ehbhfpfdkmhcpaehaooegfdflljcnfec
    - bkkgdjpomdnfemhhkalfkogckjdkcjkg
    - almalgbpmcfpdaopimbdchdliminoign
    - akkbkhnikoeojlhiiomohpdnkhbkhieh
    - gbfgfbopcfokdpkdigfmoeaajfmpkbnh
    - bniikohfmajhdcffljgfeiklcbgffppl
    - lejgfmmlngaigdmmikblappdafcmkndb
    - ffhhkmlgedgcliajaedapkdfigdobcif
    - gcknhkkoolaabfmlnjonogaaifnjlfnp
    - pooljnboifbodgifngpppfklhifechoe
    - fjoaledfpmneenckfbpdfhkmimnjocfa
    - aakchaleigkohafkfjfjbblobjifikek
    - dpplabbmogkhghncfbfdeeokoefdjegm
    - padekgcemlokbadohgkifijomclgjgif
    - bfidboloedlamgdmenmlbipfnccokknp
condition: all of chrome_*

Author

frack113

Created

2021-12-28

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension

Tags

attack.initial-accessattack.persistenceattack.t1133

Raw Content

title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high