The detection identifies potential adversary enumeration of browser extensions by monitoring CRX file activity, which may indicate reconnaissance or persistence efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify suspicious extensions that could be used for lateral movement or data exfiltration.
KQL Query
DeviceFileEvents
| where TimeGenerated >= ago(180d)
| where FileName endswith ".crx"
| extend ExtensionId = tolower(split(FileName, "_")[0])
| where ExtensionId matches regex @"^[a-p]{32}$"
| summarize DeviceCount = dcount(DeviceName) by ExtensionId
| sort by DeviceCount desc
id: ede058ab-97a8-4494-aa76-b7f5f6d78cba
name: Browser Extension Enumeration via DeviceFileEvents
description: |
Identifies browser extension CRX files observed across endpoints. Helps in enumerating commonly installed extensions and hunting for potentially malicious ones.
---
Optional Enrichment:
To enrich the `ExtensionId` values with extension names, ratings, and user counts, use the open-source script from:
https://github.com/venkat117/browser-extension-scraper
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Discovery
query: |
DeviceFileEvents
| where TimeGenerated >= ago(180d)
| where FileName endswith ".crx"
| extend ExtensionId = tolower(split(FileName, "_")[0])
| where ExtensionId matches regex @"^[a-p]{32}$"
| summarize DeviceCount = dcount(DeviceName) by ExtensionId
| sort by DeviceCount desc
queryFrequency: P7D
queryPeriod: P180D
version: 1.0.0
kind: Hunting
tags:
- ChromeExtensions
- Endpoint
- DeviceFileEvents
author:
name: Venkata Reddy
email: venkatareddy1173@gmail.com
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as Windows Update or Disk Cleanup, may generate file system events that resemble CRX file activity.
Filter/Exclusion: Exclude files with extensions not matching .crx or filter by file paths that are known system directories (e.g., C:\Windows\ or C:\Program Files\).
Scenario: User-Initiated Browser Extension Installation
Description: A user may manually install a browser extension via the Chrome Web Store or other legitimate sources, triggering file creation events that match the detection logic.
Filter/Exclusion: Exclude events where the file was created by a known browser extension installer (e.g., chrome-extension:// or chrome-web-store://).
Scenario: Admin-Initiated Group Policy Deployment
Description: An administrator may deploy browser extensions via Group Policy or Microsoft Intune, which can result in CRX files being created on endpoints.
Filter/Exclusion: Exclude files created by known administrative tools or processes (e.g., gpupdate.exe, intunewin.exe, or microsoft-intune-mam.exe).
Scenario: Automation Tool or Script Execution
Description: A legitimate automation tool like PowerShell, Python, or Ansible may generate CRX files as part of a script or configuration task.
Filter/Exclusion: Exclude files created by known automation tools or scripts (e.g., powershell.exe, python.exe, or ansible-playbook.exe) or filter by process names associated with automation.
Scenario: Security Software or Endpoint Protection Updates
Description: Some endpoint security tools may package extensions or use CRX-like files as part of their update or configuration process.
Filter/Exclusion: Exclude files