Listen to this Post
Based on the latest BleepingComputer blog, there are 6 million Chrome extension installs with risky hidden tracking code. These extensions can monitor browsing behavior, access cookies, and execute remote scripts.
KQL Query to Detect Risky Extensions
Use the following Kusto Query Language (KQL) to check if any enterprise users are affected:
let SecureAnnex=externaldata(extension_id:string) [h'https://lnkd.in/gzWY4EM9']; let MID = SecureAnnex | project extension_id; DeviceFileEvents | where ActionType == "FileCreated" or ActionType == "FileModified" or ActionType == "FileRenamed" | where FileName endswith ".crx" | where FileName has_any(MID)
You Should Know: How to Detect & Remove Malicious Chrome Extensions
1. Manual Detection in Chrome
- Open Chrome → Settings → Extensions
- Look for suspicious extensions (check permissions, reviews, and developer details).
- Remove unknown or unnecessary extensions.
2. Command-Line Detection (Linux/Windows)
Linux (Check Installed Extensions)
ls ~/.config/google-chrome/Default/Extensions/
Windows (PowerShell – List Extensions)
Get-ChildItem "C:\Users\AppData\Local\Google\Chrome\User Data\Default\Extensions" -Recurse
3. Block Extensions via Group Policy (Windows)
- Open Group Policy Editor (
gpedit.msc) - Navigate to:
`Computer Configuration → Administrative Templates → Google → Google Chrome → Extensions` - Enable “Configure extension installation allowlist” and specify approved extensions.
4. Monitor Network Traffic for Suspicious Activity
Use Wireshark or tcpdump to detect unusual connections from Chrome:
sudo tcpdump -i any -n port 443 or port 80 | grep "chrome"
5. Automate Extension Auditing with Bash
!/bin/bash EXT_DIR="$HOME/.config/google-chrome/Default/Extensions" for ext in $(ls $EXT_DIR); do echo "Checking extension: $ext" curl -s "https://chrome.google.com/webstore/detail/$ext" | grep -E "rating|permissions" done
What Undercode Say
Malicious Chrome extensions pose serious privacy and security risks. Enterprises should enforce strict extension policies, monitor installations, and use KQL for threat hunting. Regular audits and network monitoring can prevent data leaks.
Expected Output:
- Detection of malicious `.crx` files via KQL.
- List of installed extensions in Chrome.
- Network logs indicating suspicious Chrome activity.
- Automated script output for extension permissions.
Stay vigilant and enforce least-privilege extension policies!
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
