Detecting browser extensions installations

Chrome and Firefox

Scenario:

You’ve discovered a browser extension you don’t recognize on a user’s workstation. What do you look for to investigate how the extension got there and whether an incident has occurred ?

ref https://twitter.com/mthcht/status/1647370542867947520

Firefox

On a windows machine, when a Firefox addon is installed, the following operations are observed by the Firefox.exe process:

File creation :

‘myaddon’ and ‘myaddon.xpi’ in:

• C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-esr\extensions\staged\

Addon GUID in :

• C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-esr\storage\default\moz-extension+++(myaddonGUID)*

Image loaded :

• C:\Program Files (x86)\Mozilla Firefox\xul.dll

Proxy logs :

• http://addons.mozilla.org
• http://addons.mozilla.org/firefox/downloads/file/*
• url ending with ".xpi"

CLI installation if occured (check parent process):

• CommandLine: firefox -install-global-extension *.xpi
• Informations about extensions in extensions.json of the firefox user profile

Chrome

When you install an addon on chrome, the following traces are observed

Download process :

chrome.exe load image BitsProxy.dll > svchost.exe loads bits*.dll > BITS download the addon and write logs in event logs “Microsoft-Windows-Bits-Client” in EventID 59 & 60.

URL requests :

• http://edgedl[.]me.gvt1[.]com/edgedl/release2/chrome_component/*.crx3
• http://edgedl[.]me.gvt1[.]com/edgedl/chromewebstore/*.crx
• https://clients2[.]google|.]com/service/update2/crx?*
• https://clients2[.]googleusercontent[.]com/crx/blobs/*.crx
• any url ending with .crx or .crx3 if not downloaded from the chromestore

It seems that chrome will download the extension in both crx and crx3 formats for backward compatibility…

File creations :

BITS download completed, svchost.exe will write the crx3 file in C:\Program Files\chrome_BITS_*\*.crx3

chrome.exe will write:

• C:\Users\username\AppData\Local\Google\Chrome\User Data\Webstore Downloads\*.crx
• C:\Users\username\AppData\Local\Temp\scoped_dir*\*.crx
• C:\Users\username\AppData\Local\Temp\scoped_dir*\CRX_INSTALL\assets\EXTENSION_NAME\*
• C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\EXTENSION_NAME\*

Registry :

When installing the crx extension the process chrome.exe will access HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\*\.crx\*

Image loaded by chrome.exe (these are not useful for detection because the dll files can be used for other stuffs in chrome):

• C:\Program Files\Google\Chrome\Application\*\chrome_elf.dll (to install the addon)
• C:\Windows\System32\BitsProxy.dll (to download the addon with BITS)

CLI installation (if occured):

• ...chrome.exe --enable-extensions --install-extension="*.crx"
• look for commandlines with chrome.exe containing .crx or .crx3

Note: In C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\ each folder represents a Chrome extension.

Conclusion :

I would look for any of these traces to find out when and how the addon was installed and if an incident occured.

Check the extension folder creation date and the manifest.json in each folder to get details on the addon installed. To get more information via the command line, we can also examine Chrome’s database files.