I am always looking for ways to gain further context around data in order to make more effective decisions about whats actually going on. Last fall I was looking at the data provided by the chrome_extensions table – what other data could be used to provide further context?
Last year a fake Signal Messenger extension was published to the Chrome webstore. If someone installed the fake one, how would I quickly/efficiently know it was the fake one? Just from the osquery data it would not be that easy… but what about all the metadata available on the Chrome store? (see here) The legit extension has 200k+ users, but the malicious extension had less than 5k. Not to mention the version numbers, ratings, how many users rated it, etc.
With this idea in mind, I looked for a way to integrate this type of data with the osquery chrome_extensions data, but could not find anything out there. So using Apify, I scraped a bit of the Chrome extension store getting metadata for a number of extensions. I then integrated the data into an Osquery + ElasticStack environment, using a Logstash lookup within the Logstash pipeline. Here is what I ended up with:
-Dashboard (proof of concept) – https://www.screencast.com/t/fCILdraN8
-Original data & metadata – https://www.screencast.com/t/pAJHWUGjdb
I didn’t have the time to take this idea any further, so I let it drop. Then this past week CRXcavator was released by Duo & @crxpert and it’s awesome!
“CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors. These factors include permissions, inclusion of vulnerable third party javascript libraries, weak content security policies, missing details from the Chrome Web Store description, and more….” https://crxcavator.io/docs#/README
So let’s go ahead and integrate this data with osquery. We can easily query CRXcavator – all we need is the extension id and version. Once again using an Osquery + ElasticStack environment (Security Onion / Hybrid Hunter), I wrote a Logstash http filter to query CRXcavator.io whenever we have inbound chrome extension data.
The results:
-Overview Dashboard: https://www.screencast.com/t/JXiDS3lV4fJK
-Filtered to a specific extension: https://www.screencast.com/t/VFY4XnFG3tUj
As you can see from the screenshots we have quite a bit more data to work with: hostname, username, extension details (from osquery) & extension metadata (from CRXcavator). The analyst can use the Full Report link to review a much more detailed report about the extension on CRXcavator.io. They can also quickly pivot to a live query of the system using the Live Query link. There will certainly be further work needed on layout etc, but the essentials are there.
Thanks again to Duo and @crxpert for this great tool!
-Josh
Defensive Depth 