FalconFriday — Detecting Malicious Browser Extensions and code signing- 0xFF01

Olaf Hartong
Aug 28 · 5 min read

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

Image for post
Image for post

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests (PR) if you have improvements which can benefit the community. We will make sure to cover your PRs in the blog following your PR.

Detecting new- or updated chromium-based extensions

Modern browsers are becoming more and more like operating systems in terms of complexity. They have full control over and insight into end users’ online activity. With browser extensions functionality can be added to the browser, making it easier to use.

However, these browser extensions can be malicious as well. Malicious extensions can be installed (for example) through a malicious app store, masquerading as a legitimate version. Adversaries might exploit these extensions to gain access to credentials, to establish persistent access to systems, or to serve as C2 infrastructure. Once installed, extensions remain fairly undetected. Therefore it is crucial to be able to identify extension activity deviating from normal, expected or benign activity.

This query is aimed at detecting new or updated browser extensions, specifically for Chromium builds.

As mentioned earlier, you want to identify newly installed extensions rapidly to make sure seemingly benign extensions do not create gaping security holes in your environment.

You can find the query here on GitHub, we tagged it as T1176-WIN-001.md.

A few considerations:

Example diving into one of our findings

Image for post
Image for post
Image for post
Image for post
VPN extension to do..?
Image for post
Image for post
Known vulnerabilities in this particular version of the extension.

Usage in production

One of the recommendations when implementing a rule like this into production is to keep track of all used Extensions in your organization and periodically look at the risk rating of all Extensions. An attacker might be able to alter a popular Extension with a large install base with additional features that change the risk rating dramatically. Being aware of these changes allows you to quickly take action

Detecting binaries connecting to the internet with an unsigned or untrusted code signing certificate

In order to evade detection, attackers may use binaries to mimic a trusted certificate or modified signed binaries to make outbound network connections. This increases the chance of deceiving users, analysts, or tools and allowing them to execute their use-case. Adversaries for example could copy metadata and signature information from a signed program, then use this as a template for an unsigned program.

This query is aimed at detecting network connections towards non-RFC-1918 IP addresses.

The binary can also be completely unsigned which stands out even more. By combining the network connection events towards non-private IP addresses with the certificate validation information of the binaries in question we can have a fairly trustworthy means of detection.

You can find the query here on GitHub, we tagged it as T1036.001-WIN-001.md.

Considerations

Usage in production

There are legitimate binaries that are unsigned, even Microsoft supplied ones like powershell.exe. Taking into account the description of this rule it might be called a false positive, however you might want to be interested in connections towards the internet from those as well.

Disclaimers

The FalconForce Medium page with the bi-weekly articles can be found HERE.

FalconForce

A team of highly specialized security professionals

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store