Hunt Queries

T1176: Browser Extensions

MITRE Description: Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.

Analysis: Browser extensions are a huge pain for any organization. Users are constantly looking for solutions to make their work easier, faster, or more productive. Browser extensions are a great way to integrate different software and add more capabilities. However, browser extensions are also a threat vector, and are often exploited by adversaries in the wild, including extensions not in a browser’s official webstore. Execution of non-webstore browsing extensions can also be launched through a short cut parameter. The below hunt query allows for the detection for and grouping and sorting of this type of behavior.

CSLogo Crowd Strike

event_platform=win CommandLine IN (*--load-extension*) NOT (*[known exclusion]*)
| eval CommandLine=lower(CommandLine)
| eval CommandLine=replace(CommandLine,"program files\\\\google\\\\chrome\\\\application\\\\chrome.exe","CHROMEPATH")
| eval CommandLine=replace(CommandLine,"program files \(x86\)\\\\google\\\\chrome\\\\application\\\\chrome.exe","CHROMEPATH")
| eval CommandLine=replace(CommandLine,"program files\\\\microsoft\\\\edge\\\\application\\\\msedge.exe","EDGEPATH")
| eval CommandLine=replace(CommandLine,"program files \(x86\)\\\\microsoft\\\\edge\\\\application\\\\msedge.exe","EDGEPATH")
| eval CommandLine=replace(CommandLine,"users\\\\[^\\\\]+","users\\USERNAME")
| eval CommandLine=replace(CommandLine,"scoped\_dir[0-9]+\_[0-9]+","USERDATADIRECTORY")
| stats dc(ComputerName) count by CommandLine
| sort + count

SplunkLogo Splunk

sourcetype=WinEventLog EventCode=4688 Process_Command_Line IN (*--load extension)
| stats dc(ComputerName) by Process_Command_Line

Potential CAPTCHA Bypass

Analysis: Web scrapers are always trolling the web, look for traffic specific to potential scrapers hitting CAPTCHA pages. Methods to bypass CAPTCHA largely center on which flavor of the solutin implemented, and confirmation may not be possible without PCAP capture, however, starting off with logs is always a good start. Further investigation should be performed on IP addresses found.

SplunkLogo Splunk

TERM(captcha) index=[proxy_index] url_domain=[domain_of_interest]
| bucket _time spam=10m
| stats count by _time c_ip action cs_method http_user_agent url
| where count > 5
| sort - count

Potential CVE-2023-38831 WinRAR Exploitation

Analysis: Simple hunt query to find exploitation of CVE-2023-38831.

CrowdStrike CrowdStrike

event_simpleName=ProcessRollup2 (ParentBaseFileName=winrar.exe FileName=cmd.exe)
| stats count by ParentBaseFileName FileName CommandLine