EXPLORE
Sign In
← Back to Explore
kqlHunting

Malicious Browser Extension Downloads using DeviceFileEvents

Credit https://github.com/toborrm9/malicious_extension_sentry

Detection Query

//Credit https://github.com/toborrm9/malicious_extension_sentry
let MaliciousExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/toborrm9/malicious_extension_sentry/refs/heads/main/Malicious-Extensions.csv'] with (format=txt, ignoreFirstRecord = true)
| extend ExtensionID = split(ExtensionID,",")
| mv-expand ExtensionID
| extend ExtensionID = tostring(ExtensionID);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL
| join kind=leftouter MaliciousExtensions on ExtensionID //if name is present in the risky list present it

Data Sources

DeviceFileEvents

Platforms

windows

Tags

defender
Raw Content
//Credit https://github.com/toborrm9/malicious_extension_sentry
let MaliciousExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/toborrm9/malicious_extension_sentry/refs/heads/main/Malicious-Extensions.csv'] with (format=txt, ignoreFirstRecord = true)
| extend ExtensionID = split(ExtensionID,",")
| mv-expand ExtensionID
| extend ExtensionID = tostring(ExtensionID);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL
| join kind=leftouter MaliciousExtensions on ExtensionID //if name is present in the risky list present it