The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Search/Hunt for malicious chrome extensions (w/ Identifiers)

Description: This query looks for extensions using known extension identifiers. Replace the extension identifiers within single quotes of the query 'identifiervalue', to perform your own customized search.

What The Data Shows: This helps us to identify malicious extensions and this was created as part of hunting query based on threat feed from McAfee TA that have found five Google Chrome extensions that steal track users’ browsing activity. Referencehttps://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-brow...

SQL: 

SELECT
u.username,
u.type,
ce.name,
ce.path,
ce.description,
ce.permissions,
ce.identifier,
ce.version,
datetime(ce.install_timestamp, 'unixepoch', 'localtime') AS Install_date
FROM users u
JOIN chrome_extensions ce USING (UID)
WHERE ce.identifier IN ('mmnbenehknklpbendgmgngeaignppnbe','flijfnhifgdcbhglkneplegafminjnhn','pojgkmkfincpdkdgjepkmdekcahmckjp','adikhbfjdbjkhelbdnffogkobkekkkej','gbnahglfafmhaehbdmjedfhdmimjcbed');

Tables referred – users, chrome_extensions;

Referenced Link for OSquery schema tables - https://osquery.io/schema/5.4.0/

Tags (2)
4 Comments
jnelson
Carbon Black Employee

@M_Kiran_Kumar can I ask why you did not use a JOIN for this query?

M_Kiran_Kumar
New Contributor III

@jnelson I tried both the ways w/, w/o JOIN function and the results were same as expected. Updated query with JOIN function has been replaced now in the original post. Let me know, in case of any comments or changes. Thanks!

jnelson
Carbon Black Employee

I was interested in your reasoning as I always like learning new things. In my very limited testing it seems like the JOIN version is slightly more efficient, but not so much as to dictate the choice of one over the other. 

Thanks for your contribution!

jnelson
Carbon Black Employee
Status changed to: Approved