Osquery – Enriching Chrome Extension Data

I am always looking for ways to gain further context around data in order to make more effective decisions about whats actually going on. Last fall I was looking at the data provided by the chrome_extensions table – what other data could be used to provide further context?

Last year a fake Signal Messenger extension was published to the Chrome webstore. If someone installed the fake one, how would I quickly/efficiently know it was the fake one? Just from the osquery data it would not be that easy… but what about all the metadata available on the Chrome store? (see here) The legit extension has 200k+ users, but the malicious extension had less than 5k. Not to mention the version numbers, ratings, how many users rated it, etc.

With this idea in mind, I looked for a way to integrate this type of data with the osquery chrome_extensions data, but could not find anything out there. So using Apify, I scraped a bit of the Chrome extension store getting metadata for a number of extensions. I then integrated the data into an Osquery + ElasticStack environment, using a Logstash lookup within the Logstash pipeline. Here is what I ended up with:

-Dashboard (proof of concept) – https://www.screencast.com/t/fCILdraN8

-Original data & metadata – https://www.screencast.com/t/pAJHWUGjdb

I didn’t have the time to take this idea any further, so I let it drop. Then this past week CRXcavator was released by Duo & @crxpert and it’s awesome!

“CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors. These factors include permissions, inclusion of vulnerable third party javascript libraries, weak content security policies, missing details from the Chrome Web Store description, and more….”  https://crxcavator.io/docs#/README

So let’s go ahead and integrate this data with osquery. We can easily query CRXcavator – all we need is the extension id and version. Once again using an Osquery + ElasticStack environment (Security Onion / Hybrid Hunter), I wrote a Logstash http filter to query CRXcavator.io whenever we have inbound chrome extension data.

The results:

-Overview Dashboard: https://www.screencast.com/t/JXiDS3lV4fJK

-Filtered to a specific extension: https://www.screencast.com/t/VFY4XnFG3tUj

As you can see from the screenshots we have quite a bit more data to work with: hostname, username, extension details (from osquery) & extension metadata (from CRXcavator). The analyst can use the Full Report link to review a much more detailed report about the extension on CRXcavator.io. They can also quickly pivot to a live query of the system using the Live Query link. There will certainly be further work needed on layout etc, but the essentials are there.

Thanks again to Duo and @crxpert for this great tool!

-Josh

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close