KQL To Detect New Chromium Browser Extension Installation On MDE Endpoints By Emerald Sleet APT43
Query
// KQL to detect new chromium browser extension installation on MDE endpoints by Emerald Sleet (APT43)
// https://www.linkedin.com/posts/activity-7212205082002513922-WGt4/
// Emerald Sleet (APT43) deploying faked google translate extension to exfiltrate user email, password and cookie data. Targeting users in the U.S., Europe, and South Korea.
// KQL to detect new chromium browser extension installation on MDE endpoints.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "Webstore Downloads" and FileName endswith ".crx"
| extend ExtensionId = extract(@"(?i)Downloads[\\/]|Webstore Downloads[\\/](.+?)_\d+\.crx", 1, FolderPath)
// MITRE ATT&CK Mapping
// Based on the analysis, the KQL query can be associated with the following MITRE ATT&CK techniques:
// T1071.001 - Application Layer Protocol: Web Protocols:
// The detection of .crx files in the “Webstore Downloads” folder indicates potential use of web protocols to download and install browser extensions.
// T1036.005 - Masquerading: Match Legitimate Name or Location:
// The use of legitimate folder names like “Webstore Downloads” can be a technique to masquerade malicious files as legitimate downloads.
// T1204.002 - User Execution: Malicious File:
// The creation of .crx files could be part of a social engineering attack where users are tricked into executing malicious browser extensions.Explanation
This KQL query is designed to detect the installation of new Chromium browser extensions on Microsoft Defender for Endpoint (MDE) devices. Specifically, it targets suspicious activities associated with the threat actor known as Emerald Sleet (APT43), who is known for deploying a fake Google Translate extension to steal user data such as emails, passwords, and cookies. The query focuses on identifying when a new browser extension file (with a ".crx" extension) is created in the "Webstore Downloads" folder, which is indicative of a new extension installation.
Here's a breakdown of the query:
-
Data Source: The query examines
DeviceFileEvents, which logs file-related activities on devices. -
File Creation Detection: It filters events where the action type is "FileCreated", indicating a new file has been created.
-
Folder and File Type Filtering: It further narrows down the results to files created in the "Webstore Downloads" folder with a ".crx" file extension, which are typical for Chromium browser extensions.
-
Extracting Extension ID: The query extracts the extension ID from the file path to help identify the specific extension being installed.
-
Security Context: The query is mapped to specific MITRE ATT&CK techniques:
- T1071.001: Indicates the use of web protocols to download and install extensions.
- T1036.005: Highlights the use of legitimate folder names to disguise malicious files.
- T1204.002: Suggests that the creation of these files could be part of a social engineering attack.
Overall, this query helps security teams detect potentially malicious browser extensions that could compromise user data, especially those targeting users in the U.S., Europe, and South Korea.
