Query Details

Malicious Browser Extension Downloads Using Device File Events

Query

//Credit https://github.com/toborrm9/malicious_extension_sentry
let MaliciousExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/toborrm9/malicious_extension_sentry/refs/heads/main/Malicious-Extensions.csv'] with (format=txt, ignoreFirstRecord = true)
| extend ExtensionID = split(ExtensionID,",")
| mv-expand ExtensionID
| extend ExtensionID = tostring(ExtensionID);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL
| join kind=leftouter MaliciousExtensions on ExtensionID //if name is present in the risky list present it

Explanation

This query is designed to identify potentially malicious browser extensions that have been downloaded onto devices within the last 90 days. Here's a simple breakdown of what it does:

  1. Load Malicious Extensions List: It retrieves a list of known malicious extension IDs from an external CSV file hosted on GitHub.

  2. Process Device File Events: It examines file events on devices, specifically looking for files that were created in the last 90 days and have a .crx file extension, which is typical for browser extensions.

  3. Filter for Webstore Downloads: It further filters these events to include only those where the file was downloaded from a web store, as indicated by the folder path.

  4. Extract Extension IDs: It extracts the extension ID from the file name and constructs URLs for both the Chrome Web Store and Microsoft Edge Add-ons store for each extension.

  5. Summarize and Count: It summarizes the data by counting the occurrences of each extension ID, along with their corresponding URLs.

  6. Join with Malicious List: Finally, it performs a left outer join with the list of known malicious extensions to identify which of the downloaded extensions are potentially risky.

In essence, this query helps in monitoring and identifying potentially harmful browser extensions that have been downloaded onto devices, allowing for further investigation or action if necessary.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 8, 2026

Tables

DeviceFileEvents

Keywords

MaliciousExtensionsDeviceFileEventsTimeGeneratedActionTypeFileNameFolderPathExtensionIDExtensionURLEdgeExtensionURL

Operators

letexternaldatawithextendsplitmv-expandtostringwhereagoendswithcontainstrim_endstrcatsummarizecountbyjoinon

Actions

GitHub